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CHAPTER 1 
INTRODUCTION TO iAPX 286 


The iAPX 286 is the most powerful processor 
in the iAPX 86 series of microprocessors, 
which includes the iAPX 86 (8086), the iAPX 
88 (8088), the iAPX 186 (80186), and now 
the iAPX 286 (80286). It is designed for 
applications that require very high perfor- 
mance. It is also an excellent 
choice for 
sophisticated "high end" applications that will 
benefit 
from 
its advanced 
architectural 
features: 
memory management, 
protection 
mechanisms, task management, 
and virtual 
memory support. The iAPX 286 provides, on 
a single VLSI chip, computational and archi- 
tectural 
characteristics 
normally associated 
with much larger minicomputers. 


Sections 1.1, 1.2, and 1.3 provide an overview 
of the iAPX 286 architecture. 
Because the 
iAPX 286 represents a revolutionary exten- 
sion of the iAPX 86 architecture, some of this 
overview material may be new and unfamil- 
iar to previous users of the iAPX 86 and 
similar microprocessors. But the iAPX 286 is 
also an evolutionary development, with the 
new architecture 
superimposed 
upon the 
industry standard iAPX 86 in such a way as 
to affect only the design and programming of 
operating 
systems and other such system 
software. Section 1.4 provides a guide to the 
organization 
of 
this 
manual, 
suggesting 
which chapters are relevant to the needs of 
particular readers. 


1.1 GENERAL ATTRIBUTES 


The iAPX 286 base architecture 
has many 
features in common with the architecture of 
other members of the iAPX 86 family, such 
as byte addressable memory, I/O interfacing 
hardware, interrupt vectoring, and support for 
both multiprocessing 
and processor exten- 
sions. The entire family has a common set of 
addressing modes and basic instructions. The 


iAPX 286 base architecture 
also includes a 
number of extensions which add to the versa- 
tility of the computer. 


The iAPX 286 processor can function in two 
modes of operation (see section 1.2, Modes of 
Operation). In one of these modes only the 
base architecture 
is available to program- 
mers, whereas in the other mode a number of 
very powerful advanced features have been 
added, including support for virtual memory, 
multitasking, and a sophisticated protection 
mechanism. 
These advanced 
features 
are 
described in section 1.3. 


The iAPX 286 base architecture was designed 
to 
support 
programming 
in 
high-level 
languages, 
such as Pascal 
or PL/M. 
The 
register set and instructions are well suited to 
compiler-generated 
code. The addressing 
modes (see section 
2.6.3) 
allow efficient 
addressing of complex data structures, such 
as static and dynamic arrays, records, and 
arrays within records, which are commonly 
supported by high-level languages. The data 
types supported by the architecture 
include, 
along with bytes 
and words, 
high 
level 
language constructs such as strings, BCD, and 
floating point. 


The memory architecture 
of the iAPX 286 
was designed to support modular program- 
ming techniques. 
Memory 
is divided into 
segments, which may be of arbitrary size, that 
can be used to contain procedures and data 
structures. Segmentation has several advan- 
tages over more conventional linear memory 
architectures. It supports structured software, 
since 
segments 
can 
contain 
meaningful 
program units and data, and more compact 
code, since references within a segment can 
be shorter (and locality of reference usually 


insures 
that 
the next few references 
will be 


within the same segment). 
Segmentation 
also 


lends 
itself 
to efficient 
implementation 
of 


sophisticated 
memory 
management, 
virtual 


memory, 
and memory 
protection. 


In addition, 
new instructions 
have been added 


to the 
base 
architecture 
to give 
hardware 


support 
for procedure 
invocations, 
parameter 


passing, and array bounds checking. 


1.2 MODES OF OPERATION 


The iAPX 
286 can be operated 
in either 
of 


two different 
modes: Real Address 
Mode 
or 


Protected 
Virtual 
Address 
Mode 
(also 


referred 
to 
as Protected 
Mode). 
In 
either 


mode of operation, 
the iAPX 
286 represents 


an upwardly 
compatible 
addition 
to the iAPX 


86 family of processors. 


In 
Real 
Address 
Mode, 
the 
iAPX 
286 


operates 
essentially 
as 
a very 
high-perfor- 


mance iAPX 86 (8086). Programs 
written for 


the iAPX 86 or the iAPX 186 can be executed 
in this mode without 
any modification 
(the 


few exceptions 
are described 
in Appendix 
D, 
"Compatibility 
Considerations"). 
Such 


upward 
compatibility 
extends 
even 
to the 


object 
code 
level; 
for 
example, 
an 
8086 


program 
stored 
in read-only 
memory 
will 


execute 
successfully 
in 
iAPX 
286 
Real 


Address 
Mode. 
An iAPX 
286 operating 
in 


Real 
Address 
Mode 
provides 
a number 
of 
instructions 
not found on the iAPX 86. These 


additional 
instructions, 
also present 
with the 


iAPX 
186, allow 
for efficient 
subroutine 


linkage, 
parameter 
validation, 
index calcula- 


tions, and block I/O 
transfers. 


The advanced 
architectural 
features 
and full 


capabilities 
of the iAPX 
286 are realized 
in 


its native 
Protected 
Mode. 
Among 
these 


features 
are 
sophisticated 
mechanisms 
to 


support data protection, 
system integrity, 
task 


concurrency, 
and 
memory 
management, 


including 
virtual 
storage. 
Nevertheless, 
even 


in Protected 
Mode, 
the 
iAPX 
286 remains 


upwardly 
compatible 
with most iAPX 86 and 


iAPX 
186 application 
programs. 
Most iAPX 


86 applications 
programs 
can be re-compiled 


or 
re-assembled 
and 
executed 
on 
the 


iAPX 286 in Protected 
Mode. 


1.3 ADVANCED FEATURES 


The architectural 
features described 
in section 


1.1 are common 
to both operating 
modes of 


the processor. 
In addition 
to these 
common 
features, 
Protected 
Mode provides a number 
of advanced 
features, 
including 
a greatly 


extended 
physical 
and logical address 
space, 


new instructions, 
and support 
for additional 
hardware-recognized 
data 
structures. 
The 


Protected 
Mode iAPX 286 includes 
a sophis- 


ticated 
memory 
management 
and multilevel 


protection 
mechanism. 
Full hardware 
support 


is included 
for multitasking 
and task switch- 
ing operations. 


1.3.1 
Memory Management 


The 
memory 
architecture 
of the 
Protected 


Mode 
iAPX 
286 
represents 
a significant 


advance over that of the iAPX 86. The physi- 
cal address 
space 
has 
been 
increased 
from 


1 megabyte to 16 megabytes 
(224 bytes), while 


the 
virtual 
address 
space 
(i.e., 
the 
address 


space visible to a program) 
has been increased 


from 
1 megabyte 
to 1 gigabyte 
(230 bytes). 


Moreover, 
separate 
virtual 
address spaces are 


provided 
for 
each 
task 
in 
a 
multi- 


tasking 
system 
(see 
section 
1.3.2, 
"Task 


Management"). 


The 
iAPX 
286 supports 
on-chip 
memory 


management 
instead 
of relying 
on an exter- 


nal memory 
management 
unit. The one-chip 


solution 
is preferable 
because 
no software 
is 


required 
to manage 
an external 
memory 


management 
unit, 
performance 
is much 


better, and hardware 
designs are significantly 


simpler. 


Mechanisms 
have been included 
in the iAPX 
286 architecture 
to allow the efficient 
imple- 
mentation 
of virtual 
memory 
systems. 
(In 
virtual 
memory 
systems, the user regards 
the 
combination 
of main and external 
storage 
as 
a single large 
memory. 
The 
user 
can write 
large 
programs 
without 
worrying 
about 
the 
physical memory limitations 
of the system. To 
accomplish 
this, the operating 
system 
places 
some of the user programs 
and data in exter- 
nal 
storage 
and 
brings 
them 
into 
main 
memory 
only 
as 
they 
are 
needed.) 
All 
instructions 
that 
can 
cause 
a segment-not- 
present fault are fully restartable. 
Thus, a not- 
present 
segment 
can be loaded from external 
storage, 
and the task can be restarted 
at the 
point where the fault occurred. 


The iAPX 286, like all members 
of the iAPX 
86 series, 
supports 
a segmented 
memory 
architecture. 
The 
iAPX 
286 
also 
fully 
integrates 
memory 
segmentation 
into 
a 
comprehensive 
protection 
scheme. 
This 
protection scheme includes hardware-enforced 
length and type checking 
to protect 
segments 
from inadvertent 
misuse. 


1.3.2 Task Management 


The iAPX 
286 is designed 
to support 
multi- 
tasking 
systems. 
The 
architecture 
provides 
direct support 
for the concept 
of a task. 
For 
example, task state segments 
(see section 8.2) 
are 
hardware-recognized 
and 
hardware- 
manipulated 
structures 
that 
contain 
infor- 
mation on the current 
state of all tasks in the 
system. 


Very 
efficient 
context-switching 
(task- 
switching) 
can 
be invoked 
with 
a single 
instruction. 
Separate 
logical 
address 
spaces 
are 
provided 
for 
each 
task 
in the 
system. 
Finally, 
mechanisms 
exist 
to support 
inter- 
task 
communication, 
synchronization, 
memory 
sharing, 
and task 
scheduling. 
Task 
Management 
is described 
in Chapter 
8. 


1.3.3 
Protection Mechanisms 


The iAPX 286 allows the system designer 
to 
define a comprehensive 
protection 
policy to be 
applied, 
uniformly 
and 
continuously, 
to all 
ongoing 
operations 
of the 
system. 
Such 
a 
policy 
may be desirable 
to ensure 
system 
reliability, 
privacy of data, 
rapid error recov- 
ery, and separation 
of multiple 
users. 


The 
iAPX 
286 
protection 
mechanisms 
are 
based on the notion of a "hierarchy 
of trust." 
Four 
privilege 
levels 
are 
distinguished, 
ranging 
from Level 0 (most trusted) 
to Level 
3 (least 
trusted). 
Level 0 is usually 
reserved 
for the 
operating 
system 
kernel. 
The 
four 
levels may be visualized 
as concentric 
rings, 
with the most privileged 
level in the center 
(see figure 
1-1). 


This four-level 
scheme offers system reliabil- 
ity, flexibility, 
and design options not possible 
with the typical 
two-level 
(supervisor/user) 
separation 
provided 
by other 
processors. 
A 
four-level 
division 
is capable 
of separating 
kernel, 
executive, 
system 
services, 
and 
application 
software, 
each 
with 
different 
privileges. 


At anyone 
time, a task executes 
at one of the 
four levels. Moreover, 
all data 
segments 
and 
code segments 
are also assigned 
to privilege 
levels. A task executing 
at one level cannot 
access data at a more privileged 
level, nor can 
it call a procedure 
at a less privileged 
level 
(i.e., trust 
a less privileged 
procedure 
to do 
work for it). Thus, 
both 
access 
to data 
and 
transfer 
of control 
are 
restricted 
in appro- 
priate ways. 


A complete 
separation 
can exist between 
the 
logical address spaces local to different 
tasks, 
providing 
users 
with 
automatic 
protection 
against accidental 
or malicious interference 
by 
other 
users. 
The 
hardware 
also 
provides 
immediate 
detection 
of a number 
of fault and 


error conditions, 
a feature 
that can be useful 


in the 
development 
and 
maintenance 
of 


software. 


Finally, 
these protection 
mechanisms 
require 


relatively 
little system overhead 
because 
they 
are integrated 
into the memory 
management 


and protection 
hardware 
of the 
processor 


itself. 


1.3.4 
Support for Operating Systems 


Most operating 
systems 
involve some degree 


of concurrency, 
with multiple 
tasks vying for 


system 
resources. 
The 
task 
management 


mechanisms 
described 
above 
provide 
the 


iAPX 
286 
with 
inherent 
support 
for 
such 


multi-tasking 
systems. 
Moreover, 
the 


advanced 
memory 
management 
features 
of 


the iAPX 
286 allow the implementation 
of 


sophisticated 
virtual 
memory 
systems. 


Operating 
system 
implementors 
have 
found 


that a multi-level 
approach 
to system services 


provides 
better 
security 
and more 
reliable 


systems. 
For example, 
a very secure 
kernel 


might 
implement 
critical 
functions 
such 
as 


task scheduling 
and resource allocation, 
while 


less fundamental 
functions 
(such as I/O) 
are 


built around the kernel. This layered approach 
also 
makes 
program 
development 
and 


enhancement 
simpler 
and facilitates 
error 


detection 
and 
debugging. 
The 
iAPX 
286 
supports 
the 
layered 
approach 
through 
its 


four-level privilege scheme. 


1.4 ORGANIZATION OF THIS MANUAL 


To facilitate 
the use of this manual 
both 
as 
an introduction 
to the iAPX 286 architecture 


and 
as a reference 
guide, 
the 
remaining 


chapters 
are divided into three major parts. 


Part I, comprising 
chapters 
2 through 
4, 


should be read by all those who wish to 
acquire a basic familiarity with the iAPX 286 
architecture. These chapters provide detailed 
information on memory segmentation, regis- 
ters, 
addressing 
modes 
and the 
general 


(application level) iAPX 286 instruction set. 
In conjunction with the iAPX 286 Assembly 
Language Reference Manual, these chapters 
provide sufficient information for an assem- 
bly language programmer to design and write 
application programs. 


Chapter 
2, "Architectural 
Features." 
This 


chapter discusses those features of the iAPX 
286 architecture 
that 
are significant 
for 


application programmers. 
The information 
presented can also function as an introduc- 
tion to the machine for system programmers. 
Memory 
organization 
and segmentation, 
processor registers, addressing modes, and 
instruction formats are all discussed. 


Chapter 
3, "Basic 
Instruction 
Set." 
This 


chapter presents the core instructions of the 
iAPX 86 family. 


Chapter 4, "Extended Instruction Set." This 
chapter presents the extended instructions 
shared 
by the iAPX 
186 and iAPX 
286 
processors. 


Part II of the manual consists of a single 
chapter: 


Chapter 
5, "Real 
Address 
Mode." 
This 


chapter presents the system programmer's 
view of the iAPX 286 when the processor is 
operated in Real Address Mode. 


Part III of the manual comprises chapters 6 
through 
11. Aimed 
primarily 
at system 
programmers, these chapters discuss the more 
advanced architectural features of the iAPX 


286, which are available when the processor 
is in Protected 
Mode. Details on memory 


management, 
protection 
mechanisms, 
and 
task switching are provided. 


The chapters in Part III are: 


Chapter 6, "Virtual Memory." This chapter 
describes the iAPX 286 address translation 
mechanisms that support virtual 
memory. 


Segment 
descriptors, 
global 
and 
local 
descriptor tables, and descriptor caches are 
discussed. 


Chapter 
7, "Protection." 
This 
chapter 
describes the protection features of the iAPX 
286. Privilege 
levels, segment 
attributes, 


access 
restrictions, 
and 
call 
gates 
are 
discussed. 


Chapter 8, "Tasks and State Transitions." 
This chapter describes the iAPX 286 mecha- 
nisms that support concurrent tasks. Context- 
switching, task state segments, task gates, and 
interrupt tasks are discussed. 


Chapter 9, "Interrupts, 
Traps and Faults." 


This chapter 
describes 
interrupt 
and trap 
handling. 
Special attention 
is paid to the 
exception traps, or faults, which may occur in 
Protected Mode. Interrupt gates, trap gates, 
and 
the 
interrupt 
descriptor 
table 
are 
discussed. 


Chapter 10, "System Control and Initializa- 
tion." 
This chapter 
describes 
the actual 
instructions used to implement the memory 
management, 
protection, 
and task support 
features of the iAPX 286. System registers, 
privileged instructions, and the initial machine 
state are discussed. 


Chapter 11, "Advanced Topics." This chapter 
completes 
Part 
III with a description 
of 
several advanced topics, including 
special 
segment attributes and pointer validation. 
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CHAPTER 2 
iAPX 286 BASE ARCHITECTURE 


This chapter 
describes 
the iAPX 
286 appli- 
cation 
programming 
environment 
as seen by 
assembly 
language 
programmers. 
It 
is 
intended 
to introduce 
the 
programmer 
to 
those features 
of the iAPX 
286 architecture 
that directly 
affect the design and implemen- 
tation of iAPX 286 application 
programs. 


2.1 
MEMORY 
ORGANIZATION 
AND 
SEGMENTATION 


The main 
memory 
of an iAPX 
286 system 
makes 
up its physical 
address 
space. 
This 
address 
space is organized 
as a sequence 
of 
8-bit 
quantities, 
called 
bytes. 
Each 
byte 
is 
assigned 
a unique address 
ranging 
from 0 up 
to a maximum 
of 220 (1 megabyte) 
in Real 
Address 
Mode, and up to 224 (16 megabytes) 
in Protected 
Mode. 


A virtual 
address space is the organization 
of 
memory 
as viewed 
by 
a program. 
Virtual 
address 
space 
is also organized 
in units 
of 
bytes. (Other 
addressable 
units such as words, 
strings, 
and BCD digits are described 
below 
in section 
2.2, 
"Data 
Types.") 
In Real 
Address 
Mode, 
as 
with 
the 
8086 
itself, 
programs 
view physical 
memory 
directly, 
inasmuch 
as they 
manipulate 
pure 
physical 
addresses. 
Thus, the virtual 
address 
space is 
identical 
to the 
physical 
address 
space 
(1 
megabyte). 


In Protected 
Mode, however, 
programs 
have 
no direct access to physical addresses. 
Instead, 
memory 
is viewed as a much 
larger 
virtual 
address 
space of 230 bytes (1 gigabyte). 
This 
1 gigabyte 
virtual address is mapped 
onto the 
Protected 
Mode's 
16-megabyte 
physical 
address 
space 
by the 
address 
translation 
mechanisms 
described 
in Chapter 
6. 


The 
programmer 
views the 
virtual 
address 
space on the iAPX 
286 as a collection 
of up 
to sixteen 
thousand 
linear 
subs paces, 
each 
with a specified size or length. 
Each of these 
linear 
address 
spaces is called 
a segment. 
A 
segment 
is a logical 
unit 
of 
contiguous 
memory. 
Segment 
sizes may range from one 
byte up to 64K (65,536) 
bytes. 


iAPX 286 memory segmentation 
supports 
the 
logical 
structure 
of programs 
and 
data 
in 
memory. 
Programs 
are not written 
as single 
linear sequences 
of instructions 
and data, but 
rather 
as modules 
of code 
and 
data. 
For 
example, 
program 
code may include 
a main 
routine and several separate 
procedures. 
Data 
may 
also 
be organized 
into 
various 
data 
structures, 
some private and some shared with 
other 
programs 
in the 
system. 
Run-time 
stacks 
constitute 
yet 
another 
data 
require- 
ment. Each of these several modules 
of code 
and data, moreover, 
may be very different 
in 
size 
or 
vary 
dynamically 
with 
program 
execution. 


Segmentation 
supports 
this logical 
structure 
(see figure 2-1). Each meaningful 
module 
of 
a program 
may 
be separately 
contained 
in 
individual 
segments. 
The degree 
of modular- 
ization, 
of course, 
depends 
on the 
require- 
ments 
of a particular 
application. 
Use 
of 
segmentation 
benefits 
almost all applications. 
Programs 
execute 
faster 
and 
require 
less 
space. Segmentation 
also simplifies the design 
of structured 
software. 


Bytes and words are the fundamental 
units in 
which the iAPX 
286 manipulates 
data, 
i.e., 
the fundamental 
data types. 
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A byte 
is 8 contiguous 
bits 
starting 
on an 


addressable 
byte 
boundary. 
The 
bits 
are 


numbered 
0 through 
7, starting 
from 
the 


right. Bit 7 is the most significant 
bit: 


7 
0 


I : : : : : : : I 


A word is defined 
as two contiguous 
bytes 
starting on an arbitrary 
byte boundary; 
a word 


thus contains 
16 bits. The bits are numbered 


o through 
15, starting 
from the right. 
Bit 15 


is the most significant 
bit. The byte contain- 
ing bit 0 of the word is called 
the low byte; 
the byte containing 
bit 15 is called 
the high 


byte. 


15 
I : : 


o 
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: I 
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Each byte within a word has its own particu- 
lar 
address, 
and 
the 
smaller 
of the 
two 


addresses 
is used as the address 
of the word. 


The byte at this lower address 
contains 
the 


eight least significant 
bits of the word, while 


the byte at the higher 
address 
contains 
the 


eight most significant 
bits. The arrangement 


of 
bytes 
within 
words 
is 
illustrated 
in 


figure 2-2. 


Note that 
a word need not be aligned 
at an 


even-numbered 
byte 
address. 
This 
allows 


maximum 
flexibility 
in data 
structures 
(e.g., 


records 
containing 
mixed 
byte 
and 
word 


entries) 
and efficiency 
in memory 
utilization. 


Although 
actual transfers 
of data between the 


processor 
and memory 
take 
place 
at physi- 


cally aligned word boundaries, 
the iAPX 286 


converts requests for unaligned 
words into the 


appropriate 
sequences 
of requests 
acceptable 


to the memory 
interface. 
Such 
odd aligned 


word 
transfers, 
however, 
may 
impact 


performance 
by requiring 
two memory 
cycles 
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ALL 
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IN HEXADECIMAL 


to transfer 
the word rather 
than 
one. Data 
structures 
(e.g., 
stacks) 
should 
therefore 
be 
designed 
in such a way that 
word operands 
are aligned 
on word 
boundaries 
whenever 
possible 
for maximum 
system 
performance. 
Due to instruction 
prefetching 
and queueing 
within the CPU, 
there 
is no requirement 
for 
instructions 
to be aligned on word boundaries 
and no performance 
loss if they are not. 


Although 
bytes and words are the fundamen- 
tal data types of operands, 
the processor 
also 
supports 
additional 
interpretations 
on these 
bytes or words. Depending 
on the instruction 
referencing 
the 
operand, 
the 
following 
additional 
data types can be recognized: 


Integer: 


A signed binary 
numeric 
value contained 
in an 
8-bit 
byte 
or 
a 
16-bit 
word. 
All 
operations 
assume 
a 
2's 
complement 
representation. 
(Signed 
32- and 
64-bit 
integers 
are supported 
using 
the 
iAPX 
286/20 
Numeric 
Data Processor.) 


An 
unsigned 
binary 
numeric 
value 
contained 
in an 8-bit byte or 16-bit word. 


A 32-bit 
address 
quantity 
composed 
of a 
segment 
selector 
component 
and an offset 
component. 
Each 
component 
is a 
l6-bit 
word. 


A contiguous 
sequence 
of bytes or words. 
A string may contain 
from 
1 byte to 64K 
bytes. 


A byte representation 
of alphanumeric 
and 
control 
characters 
using 
the 
ASCII 
standard 
of character 
representation. 


A byte (unpacked) 
representation 
of the 
decimal digits (0-9). 


A byte 
(packed) 
representation 
of two 
decimal digits (0-9). One digit is stored 
in 
each nibble of the byte. 


Floating 
Point: 


A signed 
32-, 64-, or 80-bit 
real number 
representation. 
(Floating 
operands 
are 
supported using the iAPX 286/20 
Numeric 
Processor 
Configuration.) 


Figure 
2-3 graphically 
represents 
the 
data 
types supported 
by the iAPX 
286. iAPX 
286 
arithmetic 
operations 
may be performed 
on 
five types of numbers: unsigned binary, signed 
binary 
(integers), 
unsigned 
packed 
decimal, 
unsigned 
unpacked 
decimal, 
and 
floating 
point. 
Binary 
numbers 
may be 8 or 16 bits 
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long. Decimal 
numbers 
are stored 
in bytes; 
two digits 
per byte for packed 
decimal, 
one 
digit 
per 
byte 
for 
unpacked 
decimal. 
The 
processor 
always 
assumes 
that 
the operands 
specified 
in arithmetic 
instructions 
contain 
data that represent 
valid numbers 
for the type 
of instruction 
being performed. 
Invalid 
data 
may produce 
unpredictable 
results. 


Unsigned 
binary 
numbers 
may be either 
8 or 
16 bits long; all bits are considered 
in deter- 
mining 
a number's 
magnitude. 
The 
value 
range of an 8-bit unsigned 
binary 
number 
is 
0-255; 
16 bits can represent 
values 
from 
0 
through 
65,535. Addition, 
subtraction, 
multi- 
plication and division operations 
are available 
for unsigned 
binary numbers. 


Signed 
binary 
numbers 
(integers) 
may 
be 
either 
8 or 
16 bits 
long. 
The 
high-order 
(leftmost) 
bit is interpreted 
as the number's 
sign: O=positive 
and 
1= negative. 
Negative 
numbers 
are 
represented 
in standard 
two's 
complement 
notation. 
Since the high-order 
bit 
is used for a sign, the range of an 8-bit integer 
is -128 
through 
+ 127; 16-bit integers 
may 
range from 
-32,768 
through 
+32,767. 
The 
value zero has a positive sign. 


Separate 
multiplication 
and 
division 
opera- 
tions 
are 
provided 
for 
both 
signed 
and 
unsigned 
binary 
numbers. 
The same addition 
and 
subtraction 
instructions 
are 
used 
with 
signed or unsigned binary values. Conditional 
jump instructions, 
as well as an "interrupt 
on 
overflow" 
instruction, 
can be used following 
an unsigned operation 
on an integer 
to detect 
overflow into the sign bit. 


Unpacked 
decimal 
numbers 
are stored 
as 
unsigned 
byte quantities. 
One digit is stored 
in each byte. The magnitude 
of the number 
is determined 
from the low-order 
half-byte; 
hexadecimal 
values 
0-9 are valid 
and 
are 
interpreted 
as decimal 
numbers. 
The 
high- 


order half-byte 
must be zero for multiplica- 
tion and division; it may contain any value for 
addition 
and subtraction. 


Arithmetic 
on unpacked 
decimal 
numbers 
is 
performed 
in two steps. The unsigned 
binary 
addition, 
subtraction 
and 
multiplication 
operations 
are used to produce 
an intermedi- 
ate 
result. 
An 
adjustment 
instruction 
then 
changes the value to a final correct 
unpacked 
decimal 
number. 
Division 
is 
performed 
similarly, except that the adjustment 
is carried 
out on the two digit 
numerator 
operand 
in 
register 
AX 
first, 
followed 
by an unsigned 
binary 
division 
instruction 
that 
produces 
a 
correct 
result. 


Unpacked 
decimal numbers 
are similar to the 
ASCII 
character 
representations 
of the digits 
0-9. Note, however, that the high-order 
half- 
byte 
of an 
ASCII 
numeral 
is always 
3. 
Unpacked 
decimal 
arithmetic 
may 
be 
performed 
on ASCII 
numeric 
characters 
under the following conditions: 


• 
the high-order 
half-byte 
of an ASCII 
numeral 
must 
be 
set 
to OH prior 
to 
multiplication 
or division. 


• 
unpacked 
decimal 
arithmetic 
leaves 
the 
high-order 
half-byte 
set to OH; it must be 
set 
to 
3 to 
produce 
a 
valid 
ASCII 
numeral. 


Packed 
decimal 
numbers 
are 
stored 
as 
unsigned 
byte quantities. 
The byte is treated 
as having one decimal 
digit in each half-byte 
(nibble); 
the digit in the high-order 
half-byte 
is the most significant. 
Values 
0-9 are valid 
in each half-byte, 
and the range of a packed 
decimal 
number 
is 0-99. 
Additions 
and 
subtractions 
are performed 
in two steps. First, 
an addition 
or subtraction 
instruction 
is used 
to produce 
an intermediate 
result. 
Then, 
an 
adjustment 
operation 
is performed 
which 
changes 
the 
intermediate 
value 
to a final 


2.3 REGISTERS 


The iAPX 286 contains a total of fourteen 
registers that are of interest to the applica- 
tion programmer. 
(Five additional registers 


used by system programmers are covered in 
section 10.1.) As shown in figure 2-4, these 
registers 
may be grouped 
into four basic 


categories: 


• 
General 
registers. 
These eight 
16-bit 
general-purpose 
registers 
are 
used 
primarily to contain operands for arith- 
metic and logical operations. 


• 
Segment registers. 
These four special- 
purpose registers determine, at any given 
time, which segments 
of memory are 


currently addressable. 


• 
Status and Control registers. These three 
special-purpose 
registers 
are used to 


record and alter certain aspects of the 
iAPX 286 processor state. 


2.3.1 
General Registers 


The general registers of the iAPX 286 are the 
16-bit registers AX, BX, CX, DX, SP, BP, 
SI, and DI. These registers are used inter- 
changeably to contain the operands of logical 
and arithmetic operations. 


Some instructions and addressing modes (see 
section 2.4), however, dedicate certain general 
registers to specific uses. BX and BP are often 
used to contain 
the base address 
of data 
structures in memory (for example, the start- 
ing address of an array); for this reason, they 
are often referred to as the base registers. 
Similarly, SI and DI are often used to contain 
an index value that will be incremented to step 
through a data structure; these two registers 
are called the index registers. Finally, SP and 
BP are used for stack manipulation. Both SP 
and BP normally 
contain 
offsets into the 
current stack. SP generally contains the offset 
of the top of the stack and BP contains the 


correct packed decimal result. Multiplication 
and division adjustments are only available for 
unpacked decimal numbers. 


Pointers and addresses are described below in 
section 2.3.3, "Index, 
Pointer, 
and Base 
Registers," 
and in section 
3.8, "Address 
Manipulation Instructions." 


Strings are contiguous bytes or words from I 
to 64K bytes in length. They generally contain 
ASCII or other character 
data representa- 
tions. The iAPX 286 provides string manip- 
ulation instructions 
to move, examine, 
or 
modify a string (see section 3.7, "Character 
Translation and String Instructions"). 


If the 80287 numerics processor extension 
(NPX) is present in the system (the iAPX 
286/20 configuration), the iAPX 286 archi- 
tecture also supports floating point numbers, 
32- and 64-bit integers, and l8-digit BCD 
data types. 


The iAPX 286/20 Numeric Data Processor 
supports and stores real numbers in a three- 
field binary 
format 
as required 
by IEEE 
standard 754 for floating point numerics (see 
figure 2-3). The number's significant digits 
are held in the significand field, the exponent 
field locates the binary 
point within 
the 
significant digits (and therefore determines 
the number's magnitude), and the sign field 
indicates whether the number is positive or 
negative. (The exponent and significand are 
analogous to the terms "characteristic" 
and 
"mantissa," typically used to describe float- 
ing point numbers on some computers.) This 
format is used by the iAPX 286/20 
with 
various length significands and exponents to 
support single precision, double precision and 
extended (80-bit) precision floating point data 
types. Negative numbers differ from positive 
numbers only in their sign bits. 


offset 
or base 
address 
of the 
current 
stack 
frame. 
The 
use 
of these 
general-purpose 
registers 
for operand 
addressing 
is discussed 
in section 
2.3.3, 
"Index, 
Pointer, 
and 
Base 
Registers." 
Register 
usage 
for individual 


instructions 
is discussed 
in chapters 
3 and 4. 


As shown in figure 
2-4, eight 
byte registers 
overlap 
four of the 
16-bit general 
registers. 


These registers 
are named AH, BH, CH, and 
DH (high bytes); 
and AL, BL, CL, and DL 


(low bytes); 
they overlap 
AX, BX, ex, and 
DX. These registers can be used either in their 
entirety 
or as individual 
8-bit registers. 
This 
dual interpretation 
simplifies 
the handling 
of 
both 8- and 16-bit data elements. 


2.3.2 
Memory Segmentation and Segment 
Registers 


Complete 
programs 
generally 
consist of many 
different 
code 
modules 
(or 
segments), 
and 
different 
types of data segments. 
However, 
at 


any 
given 
time 
during 
program 
execution, 
only a small subset of a program's 
segments 
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are actually 
in use. Generally, 
this subset will 
include code, data, 
and possibly a stack. The 
iAPX 286 architecture 
takes advantage 
of this 
by providing 
mechanisms 
to support 
direct 
access 
to the 
working 
set of a program's 
execution 
environment 
and 
access 
to 
additional 
segments 
on demand. 


At 
any 
given 
instant, 
four 
segments 
of 
memory 
are immediately 
accessible 
to an 
executing 
iAPX 
286 program. 
The segment 
registers 
DS, 
ES, SS, 
and 
CS 
are 
used 
to 
identify these four current 
segments. 
Each of 
these registers 
specifies 
a particular 
kind of 
segment, 
as characterized 
by the associated 
mnemonics 
("code," 
"stack," 
"data," 
or 
"extra") 
shown in figure 2-4. 


An 
executing 
program 
is provided 
with 
concurrent 
access 
to the 
four 
individual 
segments of memory-a 
code segment, a stack 
segment, 
and two data 
segments-by 
means 
of the four segment 
registers. 
Each 
may be 
said 
to select 
a segment, 
since 
it uniquely 
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among the numerous segments in memory, 
which is to be immediately 
accessible 
at 


highest speed. Thus, the 16-bit contents of a 
segment register is called a segment selector. 


Once a segment is selected, a base address is 
associated with it. To address an element 
within a segment, a 16-bit offset from the 
segment's base address must be supplied. The 
16-bit segment selector and the 16-bit offset 
taken together form the high and low order 
halves, respectively, of a 32-bit virtual address 
pointer. Once a segment is selected, only the 
lower 16-bits of the pointer, called the offset, 
generally need to be specified by an instruc- 
tion. Simple rules define which segment 
register is used to form an address when only 
a 16-bit offset is specified. 


An executing program requires, first of all, 
that its instructions 
reside somewhere 
in 


memory. The segment of memory containing 
the currently executing sequence of instruc- 
tions is known as the current code segment; it 
is specified by means of the CS register. All 
instructions 
are 
fetched 
from 
this 
code 


segment, using as an offset the contents of the 
instruction pointer (IP). The CS:IP register 
combination therefore forms the full 32-bit 
pointer 
for the next sequential 
program 


instruction. The CS register is manipulated 
indirectly. Transitions from one code segment 
to another .(e.g., a procedure call) are effected 
implicitly as the result of control-transfer 
instructions, interrupts, and trap operations. 


Stacks playa 
fundamental role in the iAPX 


286 
architecture; 
subroutine 
calls, 
for 


example, involve a number of implicit stack 
operations. Thus, an executing program will 
generally require a region of memory for its 
stack. The segment containing this region is 
known as the current stack segment, and it is 
specified by means of the SS register. All 


segment, usually in terms of address offsets 
contained in the stack pointer (SP) and stack 
frame base (BP) registers. Unlike CS, the SS 
register can be loaded explicitly for dynamic 
stack definition. 


Beyond their code and stack requirements, 
most programs must also fetch and store data 
in memory. The DS and ES registers allow 
the specification of two data segments, each 
addressable 
by the 
currently 
executing 
program. Accessibility to two separate data 
areas supports 
differentiation 
and access 


requirements like local procedure data and 
global process data. An operand within a data 
segment is addressed by specifying its offset 
either directly in an instruction or indirectly 
via index and/or base registers (described in 
the next subsection). 


Depending on the data structure (e.g., the way 
data is parceled into one or more segments), 
a program may require access to multiple data 
segments. To access additional segments, the 
DS and ES registers can be loaded under 
program 
control 
during 
the course 
of a 


program's 
execution. 
This simply requires 


loading the appropriate data pointer prior to 
accessing the data. 


The interpretation of segment selector values 
depends on the operating mode of the proces- 
sor. In Real Address Mode, a segment selec- 
tor is a physical 
address 
(figure 
2-5). In 


Protected Mode, a segment selector selects a 
segment of the user's virtual address space 
(figure 2-6). An intervening level of logical- 
to-physical address translation 
converts the 


logical address to a physical memory address. 
Chapter 6, "Memory Management," provides 
a detailed 
discussion 
of Protected 
Mode 


addressing. 
In general, 
considerations 
of 


selector formats and the details of memory 
mapping need not concern the application 
programmer. 


NOTES: 
1. THE SELECTOR 
IDENTIFIES 
A SEGMENT 
IN PHYSICAL 
MEMORY. 
2. 
A SELECTOR 
SPECIFIES 
THE SEGMENTS 
BASE ADDRESS, 
MODULE 
16, WITHIN THE 1 
MEGABYTE 
ADDRESS SPACE. 
3. 
THE 
SELECTOR 
IS THE 
16 
MOST 
SIGNIFICANT 
BITS 
OF 
A 
SEGMENTS 
PHYSICAL 
ADDRESS. 


4. 
THE 
VALUES 
OF SELECTORS 
DETERMINES 
THE 
AMOUNT 
THEY 
OVERLAP 
IN REAL 
MEMORY. 


5. 
SEGMENTS 
MAY OVERLAP 
BY INCREMENTS 
OF 16 BYTES. 
OVERLAP 
RANGES FROM 
COMPLETE 
(SEG 1 = SEG 1) TO NONE (SEG 1 * SEG 2 ± 64K) 


1 GIGABYTE 
VIRTUAL ADDRESS 
SPACE 
f' 


SEG 4 


SEG 3 


{ 
SEG 2 


SEG 1 


SEG 0 


NOTES: 
1. A SELECTOR 
UNIQUELY IDENTIFIES (NAMES) ONE OF 16K POSSIBLE SEGMENTS 
IN THE 
TASK'S 
VIRTUAL ADDRESS 
SPACE. 
2. 
THE SELECTOR 
VALUE DOES NOT SPECIFY 
THE SEGMENT'S 
LOCATION 
IN PHYSICAL 
MEMORY. 


3. 
THE 
SELECTOR 
DOES 
NOT 
IMPLY 
ANY 
OVERLAP 
WITH 
OTHER 
SEGMENTS 
(THIS 
DEPENDS ON THE BASE ADDRESS OF THE SEGMENT 
AS SPECIFIED 
VIA THE MEMORY 
MANAGEMENT 
AND PROTECTION 
INFORMATION). 


2.3.3 Index, Pointer, and Base Registers 


Five 
of the 
general-purpose 
registers 
are 


available for offset address calculations. 
These 


five registers, shown in figure 2-4, are SP, BP, 
BX, SI, and DJ. SP is called a pointer 
regis- 


ter; BP and BX are called 
base registers; 
SI 


and DI are called index registers. 


As described 
in the previous section, segment 
registers 
define 
the 
set 
of four 
segments 


currently 
addressable 
by 
a 
program. 
A 
pointer, 
base, or index register 
may contain 


an offset value relative 
to the start 
of one of 
these segments; 
it thereby 
points to a partic- 


ular operand's 
location 
within 
that 
segment. 


To allow for efficient 
computations 
of effec- 
tive address 
offsets, all base and index regis- 


ters 
may 
participate 
interchangeably 
as 
operands 
in most arithmetical 
operations. 


Stack operations 
are facilitated 
by the stack 
pointer 
(SP) 
and 
stack 
frame 
base 
(BP) 
registers. By specifying offsets into the current 
stack segment, each of these registers provides 
access to data 
on the stack. 
The SP register 


is 
the 
customary 
top-of -stack 
pointer, 


addressing 
the uppermost 
datum 
on a push- 


down stack. 
It is referenced 
implicitly 
by 


PUSH 
and POP operations, 
subroutine 
calls, 


and interrupt 
operations. 
The 
BP register 
provides 
yet another 
offset 
into 
the 
stack 
segment. 
The existence 
of this stack relative 
base 
register, 
in conjunction 
with 
certain 
addressing 
modes described 
in section 
2.6.3, 


is particularly 
useful for accessing 
data struc- 
tures, 
variables 
and dynamically 
allocated 
work space within the stack. 


Stacks 
in the iAPX 
286 are implemented 
in 
memory and are located by the stack segment 
register 
(SS) 
and the stack 
pointer 
register 
(SP). 
A system 
may 
have 
an 
unlimited 
number 
of stacks, 
and a stack may be up to 
64K bytes 
long, the 
maximum 
length 
of a 


segment. 


One stack 
is directly 
addressable 
at a time; 


this 
is the 
current 
stack, 
often 
referred 
to 
simply as "the" 
stack. SP contains 
the current 
top of the stack 
(TOS). 
In other 
words, 
SP 
contains the offset to the top of the push down 
stack from the stack segment's 
base address. 


Note, however, 
that 
the stack's 
base address 


(contained 
in SS) is not the "bottom" 
of the 
stack (figure 
2-7). 


Instructions operate on the stack by adding 
and removing stack items one word at a time. 
An item is pushed onto the stack (see figure 
2-8) by decrementing SP by 2 and writing the 
item at the new TOS. An item is popped off 
the stack by copying it from TOS and then 
incrementing SP by 2. In other words, the 
stack grows down in memory toward its base 
address. Stack operations never move items 
on the stack; nor do they erase them. The top 
of the stack changes only as a result of updat- 
ing the stack pointer. 


The stack frame base pointer (BP) is often 
used to access elements on the stack relative 
to a fixed point on the stack rather 
than 


relative 
to the current 
TOS. It typically 


identifies the base address of the current stack 
frame established for the current procedure 
(figure 
2-9). If an index register 
is used 


relative to BP (e.g., base + index addressing 
mode using BP as the base), the offset will be 
calculated automatically in the current stack 
segment. 


Accessing data structures in data segments is 
facilitated by the BX register, which has the 
same function in addressing operands within 
data 
segments 
that 
BP does 
for 
stack 


segments. 
They are called base registers 


because they may contain an offset to the base 
of a data structure. The similar usage of these 
two registers is especially important 
when 
discussing addressing modes (see section 2.4, 
"Addressing Modes"). 


Operations on data are also facilitated by the 
SI and 01 registers. By specifying an offset 
relative to the start of the currently address- 
able data segment, an index register can be 
used to address an operand in the segment. If 
an index register is used in conjunction with 
the BX base register 
(i.e., base + index 


addressing) to form an offset address, the data 


segment. As a rule, data referenced through 
an index register or BX is presumed to reside 
in the current data segment. That is, if an 
instruction invokes addressing for one of its 
operands using either BX, 01, SI, or BX with 
SI or 01, the contents of the register(s) (BX, 
01, or SI) implicitly specify an offset in the 
current data segment. As previously men- 
tioned, data referenced via SP, BP or BP with 
SI or 01 implicitly specify an operand in the 
current stack segment (refer to table 2-1). 


There are two exceptions to the rules listed 
above. The first concerns the operation of 
certain iAPX 286 string instructions. For the 
most flexibility, these instructions assume that 
the DI register addresses destination strings 
not in the data segment, but rather in the 
extra segment (ES register). 
This allows 
movement 
of strings 
between 
different 
segments. 
This has led to the descriptive 
names 
"source 
index" 
and 
"destination 
index." In all cases other than string instruc- 
tions, however, the SI and DI registers may 
be used interchangeably to reference either 
source or destination operands. 


Table 2·1. Implied Segment Usage by Index, 
Pointer and Base Registers 


Register 
Implied Segment 


SP 
SS 
ap 
ss 
ax 
os 
SI 
OS 
01 
OS, ES for String Operations 
ap + SI, 01 
SS 
ax + SI, 01 
OS 


NOTE: 
All implied Segment usage, except SP to SS and 01 
to ES for String Operations, may be explicitly speci- 
fied with a segment override prefix for any of the four 
segments. The prefix precedes the instruction for 
which explicit reference is desired. 


STACK OPERATION 
FOR CODE SE~UENCE: 


PUSH AX 
POP AX 
POP BX 
0 
0 
0 
0 


1 
1 
1 
1 


2 
2 
2 
2 


3 
3 
3 
3 


4 
4 
4 
4 


5 
5 
5 
5 


6 
6 
6 
6 


7 
7 
7 
7 


8 
8 
8 
8 


9 
9 
9 
9 


1062 


1060 


105E 


105C 


105A 


1058 


1056 


1054 


1052 


1050 


1 


BOTTOM 
OF STACK 


I 


NOT PRESENTLY 
USED 


00001-1 


0 
0 
0 
0 


1 
1 
1 
1 


2 
2 
2 
2 


3 
3 
3 
3 


4 
4 
4 
4 


5 
5 
5 
5 


A 
A 
A 
A 


7 
7 
7 
7 


8 
8 
8 
8 


9 
9 
9 
9 


1062 


1060 


105E 


105C 


105A 


1058 


1056 


1054 


1052 


1050 


PUSH AX 


~ 
A 
A 
Al 


0 
0 
0 
0 


1 
1 
1 
1 


2 
2 
2 
2 
POP BX 
3 
3 
3 
3 
15 
5 
5 
51 
4 
4 
4 
4 
• 
5 
5 
5 
5 


A 
A 
A 
A 
+ 
7 
7 
7 
7 


8 
8 
8 
8 
I A 
A 
A 
A I 


9 
9 
9 
9 
POP AX 


1062 


1060 


105E 


105C 


105A 


1058 


1056 


1054 


1052 


1050 


PROC N 
PUSH AX 
PUSH ARRA Y_SIZE 
CALL PROC_N - 
1 
-----.- 
PROC_N-1: 


~ 


~~~~:!.~~6RUPACE 


"PROCEDURE 
BODY" 


MOV SP, BP 
POP CX 
POP BP 
RET 


.---, 
• 
BP 
L __ .l 


t 


'p 
'I' 


OM OF 
TACK 
PARAMETERS 


RETURN ADDR 


REGISTERS 
I 
• 


WORK SPACE 


PARAMETERS 


RETURN ADDR 


REGISTERS 


WORK SPACE 
----- 


PROCEDURE N+ 1 STACK FRAME 


) 


DYNAMICALLY 
ALLOCATED 
ON 


DEMAND RATHER THAN STATICALLY 


TOP OF STACK 


A second 
more 
general 
override 
capability 
allows the programmer 
complete 
control 
of 


which segment 
is used for a specific 
opera- 


tion. Segment-override 
prefixes, 
discussed 
in 


section 2.4.3, allow the index and base regis- 
ters 
to address 
data 
in any 
of the 
four 


currently 
addressable 
segments. 


2.3.4 
Status and Control Registers 


Two 
status 
and 
control 
registers 
are 
of 


immediate 
concern 
to applications 
program- 


mers: the instruction 
pointer and the FLAGS 


registers. 


The instruction 
pointer register 
(IP) contains 
the offset address, 
relative 
to the start 
of the 


current 
code segment, 
of the next sequential 


instruction 
to be executed. 
Together, 
the 


CS:IP registers 
thus define a 32-bit program- 


counter. The instruction 
pointer is not directly 
visible 
to the 
programmer; 
it is controlled 


implicitly, 
by interrupts, 
traps, 
and control- 


transfer 
operations. 


STATUS 
FLAGS: 


CARRY 


PARITY 


AUXILIARY 
CARRY 


ZERO 


SIGN------------- 


The FLAGS 
register encompasses 
eleven flag 
fields, mostly one-bit wide, as shown in figure 
2-10. Six of the 
flags 
are 
status 
flags 
that 
record 
processor 
status 
information. 
The 


status 
flags are affected 
by the execution 
of 
arithmetic 
and logical instructions. 
The carry 


flag is also modifiable 
with instructions 
that 


will clear, set or complement 
this flag bit. See 
Chapters 
3 and 4. 


The 
carry 
flag 
(CF) 
generally 
indicates 
a 


carry 
or borrow 
out of the most 
significant 


bit of an 8- or 16-bit operand 
after 
perform- 


ing an arithmetic 
operation; 
this flag is also 


useful for bit manipulation 
operations 
involv- 
ing the shift and rotate instructions. 
The effect 


on the remaining 
status 
flags, when defined 
for a particular 
instruction, 
is generally 
as 


follows: the zero flag (ZF) 
indicates 
a zero 
result when set; the sign flag (SF) 
indicates 


whether 
the result 
was negative 
(SF= 
1) or 
positive (SF=O); 
when set, the overflow flag 
(OF) 
indicates 
whether 
an operation 
results 


TRAP FLAG 


INTERRUPT ENABLE 


DIRECTION FLAG 


SPECIAL FIELDS: 


110 PRIVILEGE LEVEL 


NESTED TASK FLAG 


in a carry into the high order bit of the result 
but not a carry 
out of the high-order 
bit, or 
vice versa; 
the 
parity 
flag 
(PF) 
indicates 
whether 
the modulo 
2 sum of the low-order 
eight bits of the operation 
is even (PF=O) 
or 
odd (PF= 
I) parity. 
The auxiliary 
carry 
flag 
(AF) represents 
a carry out of or borrow into 
the least significant 
4-bit digit When perform- 
ing binary coded decimal 
(BCD) 
arithmetic. 


The 
FLAGS 
register 
also 
contains 
three 
control 
flags that 
are 
used, 
under 
program 


control, 
to 
direct 
certain 
processor 
opera- 


tions. The interrupt-enable 
flag (IF), 
if set, 
enables 
external 
interrupts; 
otherwise, 
inter- 


rupts are disabled. 
The trap flag (TF), 
if set, 
puts the processor 
into a single-step 
mode for 
debugging 
purposes where the target program 


is automatically 
interrupted 
to a user supplied 
debug 
routine 
after 
the 
execution 
of each 


target program 
instruction. 
The direction 
flag 


(DF) controls the forward 
or backward 
direc- 
tion of string operations: 
0 = forward 
or auto 


increment 
the address 
register(s) 
(SI, 
DI or 
SI and DI), 
I = 
backward 
or auto-decre- 
ment the address register(s) 
(SI, 01 or SI and 
01). 


In general, 
the interrupt 
enable 
flag may be 


setor reset with special instructions 
(STI = set, 


CLI 
= clear) 
or by placing 
the flags on the 


stack, modifying 
the stack, and returning 
the 


flag image from the stack to the flag register. 
If operating 
in Protected 
Mode, the ability to 


alter the IF bit is subject to protection 
checks 
to prevent 
non-privileged 
programs 
from 
effecting 
the interrupt 
state of the CPU. This 


applies to both instruction 
and stack options 


for modifying 
the IF bit. 


The TF flag may only be modified by copying 
the flag register 
to the stack, 
setting 
the TF 
bit 
in the 
stack 
image, 
and 
returning 
the 
modified stack image to the flag register. 
The 


trap 
interrupt 
occurs 
on completion 
of the 


next 
instruction. 
Entry 
to the 
single 
step 
routine 
saves the flag register 
on the 
stack 
with the TF bit set, and resets the TF bit in 
the register. 
After 
completion 
of the 
single 
step routine, 
the TF bit is automatically 
set 
on return to the program 
being single stepped 
to interrupt 
the program 
again after comple- 
tion of the next instruction. 
Use of TF is not 
inhibited 
by the protection 
mechanism 
in 
Protected 
Mode. 


The DF flag, like the IF flag, is controlled 
by 


instructions 
(CLD 
= 
clear, 
STD 
= 
set) or 
flag register 
modification 
through 
the stack. 


Typically, 
routines 
that 
use 
string 
instruc- 
tions will save the flags on the stack, modify 
DF as necessary via the instructions 
provided, 


and restore DF to its original 
state by restor- 
ing the Flag 
register 
from 
the stack 
before 
returning. 
Access or control of the DF flag is 


not inhibited 
by the protection 
mechanism 
in 
Protected 
Mode. 


The Special 
Fields 
bits are only relevant 
in 
Protected 
Mode. 
Real 
Address 
Mode 
programs 
should 
treat 
these 
bits 
as don't- 
care's, 
making 
no assumption 
about 
their 
status. Attempts 
to modify the IOPL and NT 
fields are subject 
to protection 
checking 
in 
Protected 
Mode. In general, 
the application's 
programmer 
will not be able to and should 
not attempt 
to modify these bits. (See section 
9.4, "Privileged 
and Trusted 
Instructions" 
for 
more details.) 


2.4 ADDRESSING MODES 


The 
information 
encoded 
in an iAPX 
286 
instruction 
includes 
a specification 
of the 
operation 
to be performed, 
the type 
of the 
operands 
to be manipulated, 
and the location 
of these operands. 
If an operand 
is located 
in 
memory, 
the instruction 
must 
also 
select, 


explicitly or implicitly, 
which of the currently 


addressable 
segments 
contains 
the operand. 


mechanisms; 
iAPX 
286 
operators 
are 
discussed 
in Chapter 
3. 


The five elements 
of a general 
instruction 
are 
briefly described 
below. The exact format 
of 
iAPX 
286 
instructions 
is 
specified 
in 
Appendix 
B. 


• 
The opcode is present 
in all instructions; 
in fact, it is the only required 
element. 
Its 
principal 
function 
is the specification 
of 
the 
operation 
performed 
by 
the 
instruction. 


• 
A register 
specifier. 


• 
The 
addressing 
mode 
specifier, 
when 
present, 
is used to specify the addressing 
mode of an operand 
for referencing 
data 
or performing 
indirect 
calls or jumps. 


• 
The displacement, 
when present, 
is used 
to compute 
the 
effective 
address 
of an 
operand 
in memory. 


• 
The 
immediate 
operand, 
when 
present, 
directly 
specifies 
one 
operand 
of the 
instruction. 


Of the four elements, 
only one, the opcode, is 
always 
present. 
The other 
elements 
mayor 
may not be present, 
depending 
on the partic- 
ular operation 
involved 
and on the location 
and type of the operands. 


2.4.1 
Operands 


Generally 
speaking, 
an 
instruction 
is an 
operation 
performed 
on zero, 
one, 
or two 
operands, 
which are the data manipulated 
by 
the instruction. 
An operand 
can be located 
either 
in a register 
(AX, 
BX, CX, DX, 
SI, 
DI, SP, or BP in the case of 16-bit operands; 
AH, AL, BH, BL, CH, 
CL, DH, 
or DL in 
the case of 8-bit operands; 
the FLAG 
register 
for flag operations 
in the instruction 
itself (as 
an immediate 
operand)), 
or in memory 
or an 


1{ OJ 
pUll. 
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ana operanas 
in registers can be accessed more rapidly than 
operands 
in memory 
since memory 
operands 
must be fetched from memory 
while immedi- 
ate and register 
operands 
are available 
in the 
processor. 


An iAPX 286 instruction 
can reference 
zero, 
one, or two operands. 
The three forms are as 
follows: 


• 
Zero-operand 
instructions, 
such as RET, 
NOP, 
and HLT. Consult 
Appendix 
B. 


• 
One-operand 
instructions, 
such as INC or 
DEC. The location 
of the single operand 
can be specified 
implicitly, 
as in AAM 
(where 
the 
register 
AX 
contains 
the 
operand), 
or explicitly, as in INC (where 
the 
operand 
can 
be in any 
register 
or 
memory 
location). 
Explicitly 
specified 
operands 
are 
accessed 
via one 
of the 
addressing 
modes 
described 
in section 
2.4.2. 


• 
Two operand 
instructions 
such as MOV, 
ADD, XOR, etc., generally 
overwrite 
one 
of the two participating 
operands 
with the 
result. 
A distinction 
can 
thus 
be made 
between the source operand 
(the one left 
unaffected 
by the 
operation) 
and 
the 
destination 
operand 
(the one overwritten 
by the result). 
Like one-operand 
instruc- 
tions, 
two-operand 
instructions 
can 
specify 
the 
location 
of operands 
either 
explicitly 
or implicitly. 
If an instruction 
contains two explicitly specified operands, 
only one of them--either 
the source or the 
destination-can 
be 
in 
a register 
or 
memory location. The other operand must 
be in a register or be an immediate 
source 
operand. 
Special 
cases 
of two-operand 
instructions 
are the string instructions 
and 
stack 
manipulation. 
Both 
operands 
of 
some string 
instructions 
are in memory 
and are explicitly specified. 
Push and pop 


stack 
operations 
allow transfer 
between 
memory operands 
and the memory 
based 
stack. 


Thus, 
the two-operand 
instructions 
of the 
iAPX 286 permit 
operations 
of the following 
sort: 
• 
Register-to-register 
• 
Register-to-memory 
• 
Memory-to-register 
• 
Immediate- to- register 
• 
Immediate-to-memory 
• 
Memory-to-memory 


Instructions 
can specify the location 
of their 
operands by means of eight addressing 
modes, 
which 
are 
described 
in 
sections 
2.4.2 
and 2.4.3. 


2.4.2 
Register and Immediate Modes 


Two addressing 
modes are used to reference 
operands 
contained 
in 
registers 
and 


instructions: 


• 
Register 
Operand 
Mode. The operand 
is 
located in one of the 16-bit registers (AX, 
BX, CX, DX, SI, DI, SP, or BP) or in 
one of the 
8-bit general 
registers 
(AH, 
BH, CH, DH, AL, BL, CL, or DL). 


Special instructions 
are also included 
for 
referencing 
the CS, DS, ES, SS, and Flag 
registers 
as operands 
also. 


• 
Immediate 
Operand 
Mode. The operand 
is part 
of the 
instruction 
itself 
(the 
immediate 
operand 
element). 


2.4.3 
Memory Addressing Modes 


Six modes 
are 
used 
to access 
operands 
in 
memory. 
Memory 
operands 
are accessed 
by 
means 
of a pointer 
consisting 
of a segment 


selector 
(see 
section 
2.3.2) 
and 
an offset, 
which specifies the operand's 
displacement 
in 
bytes from the beginning 
of the segment 
in 
which 
it resides. 
Both 
the segment 
selector 
component 
and 
the 
offset 
component 
are 
16-bit values. 
(See section 
2.1 for a discus- 
sion of segmentation.) 
Only 
some 
instruc- 
tions use a full 32-bit address. 


Most memory 
references 
do not require 
the 
instruction 
to specify 
a full 
32-bit 
pointer 
address. Operands 
that are located within one 
of the currently 
addressable 
segments, 
as 
determined 
by the four segment 
registers 
(see 
section 
2.3.2, "Segment 
Registers"), 
can be 
referenced 
very efficiently 
simply 
by means 
of the 
16-bit offset. 
This form of address 
is 
called by short address. The choice of segment 
(CS, DS, ES, or SS) is either implicit 
within 
the instruction 
itself or explicitly 
specified 
by 
means 
of a segment 
override 
prefix 
(see 
below). 


See figure 2-11 for a diagram 
of the address- 


ing process. 


2.4.3.1 
SEGMENT SELECTION 


All instructions 
that 
address 
operands 
in 
memory 
must 
specify 
the 
segment 
and 
the 
offset. 
For speed 
and compact 
instruction 
encoding, segment selectors are usually stored 
in the 
high 
speed 
segment 
registers. 
An 
instruction 
need 
specify 
only 
the 
desired 
segment 
register 
and 
an offset 
in order 
to 
address a memory 
operand. 


Most instructions 
need not explicitly 
specify 
which segment 
register 
is used. The correct 
segment 
register 
is automatically 
chosen 
according 
to the rules of table 
2-1 and table 
2-2. These rules follow the way programs 
are 
written 
(see 
figure 
2-12) 
as independent 
modules that require 
areas for code and data, 
a stack, and access to external 
data areas. 
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Memory 
Segment 
Register 
Implicit Segment 


Reference 
Needed 
Used 
Selection 
Rule 


Instructions 
Code (CS) 
Automatic with instruction prefetch. 


Stack 
Stack (55) 
All stack pushes and pops. Any memory refer- 
ence which uses BP as a base register. 


Local Data 
Data (OS) 
All data references except when relative to stack 
or string destination. 


External (Global) Data 
Extra (ES) 
Alternate data segment and destination of string 
operation. 


There is a close connection between the type 
of memory reference 
and the segment 
in 


which that operand 
resides (see the next 


section for a discussion 
of how memory 
addressing mode calculations are performed). 
As a rule, a memory reference implies the 
current 
data 
segment 
(i.e., 
the 
implicit 


segment selector is in DS) unless the BP 
register is involved in the address specifica- 


tion, in which case the current stack segment 
is implied (i.e, SS contains the selector). 


The iAPX 286 instruction set defines special 
instruction prefix elements (see Appendix B). 
One of these is SEG, the segment-override 
prefix. Segment-override 
prefixes allow an 


explicit segment selection. Only in two special 
cases-namely, 
the use of DI to reference 


r---.., 
I 
I 


~ 


ODE 
MODULE A 


DATA 


PRog~~~D 
BLOCK 
1 


I 
I 
PRog~~~D 
BLOCK 
2 


J 
I 
L 
.J 


MEMORY 


destination strings in the ES segment, and the 
use of SP to reference stack locations in the 
SS segment-is 
there an implied segment 
selection which cannot be overridden. The 
format of segment override prefixes is shown 
in Appendix B. 


2.4.3.2 
OFFSET COMPUTATION 
The offset within the desired 
segment 
is 
calculated 
in accordance 
with the desired 
addressing mode. The offset is calculated by 
taking the sum of up to three components: 


• 
the displacement element in the instruc- 
tion 


• 
the base (contents of BX or BP-a 
base 
register) 


• 
the index (contents of SI or DI-an 
index 
register) 


Each of the three components of an offset may 
be either a positive or negative value. Offsets 
are calculated modulo 216• 


The six memory addressing modes are gener- 
ated using various combinations of these three 
components. 
The six modes are used for 
accessing different types of data stored in 
memory: 


direct address 
register 
indirect 
based 
indexed 
based indexed 
based indexed 
with 
displacement 


displacement 
alone 
base or index alone 
base + displacement 
index + displacement 
base + index 
base + index + disp 


In all six modes, the operand is located at the 
specified offset within the selected segment. 
All displacements, except direct address mode, 
are optionally 
8- or 16-bit 
values. 
8-bit 
displacements 
are 
automatically 
sign- 
extended to 16 bits. The six addressing modes 
are described 
and 
demonstrated 
in the 
following 
section 
on memory 
addressing 
modes. 


Two 
modes 
are 
used 
for 
simple 
scalar 


operands 
located in memory: 


• 
Direct 
Address 
Mode. 
The offset of the 


operand 
is contained 
in the instruction 
as 


the displacement 
element. 
The offset is a 


16-bit quantity. 


• 
Register 
Indirect 
Mode. The offset of the 


operand 
is in one of the registers 
SI, DI, 
or BX. (BP is excluded; 
if BP is used as 


a stack frame 
base, it requires 
an index 
or displacement 
component 
to reference 


either parameters 
passed on the stack or 


temporary 
variables 
allocated 
on the 


stack. The instruction 
level bit encoding 


for the BP only address 
mode is used to 


specify 
Direct 
Address 
mode. 
See 


Chapter 
12 for more details.) 


The following 
four 
modes 
are 
used 
for 


accessing 
complex 
data 
structures 
in 


memory 
(see figure 2-13): 


• 
Based 
Mode. 
The 
operand 
is located 


within 
the selected 
segment 
at an offset 


computed 
as the sum of the displacement 


and the contents 
of a base register 
(BX 


or BP). 
Based 
mode 
is often 
used 
to 


access the same field in different 
copies 


of a structure 
(often called a record). 
The 


base 
register 
points 
to the 
base 
of the 


structure 
(hence 
the term 
"base" 
regis- 


ter), 
and 
the 
displacement 
selects 
a 
particular 
field. 
Corresponding 
fields 


within 
a collection 
of structures 
can be 


accessed 
simply 
by changing 
the 
base 


register. 
(See figure 2-13, example 
1.) 


• 
Indexed 
Mode. 
The 
operand 
is located 


within the selected 
segment 
at an offset 


computed 
as the sum of the displacement 


and the contents 
of an index register 
(SI 


or DI). 
Indexed 
mode 
is often 
used 
to 


access elements 
in a static array (e.g., an 


array 
whose starting 
location 
is fixed at 
translation 
time). 
The 
displacement 
locates the beginning of the array, and the 
value 
of the 
index 
register 
selects 
one 
element. 
Since all array elements 
are the 
same 
length, 
simple 
arithmetic 
on the 
index 
register 
will 
select 
any 
element. 


(See figure 2-13, example 
2.) 


• 
Based 
Indexed 
Mode. 
The 
operand 
is 


located within the selected segment 
at an 
offset computed 
as the sum of the base 
register's 
contents 
and an index register's 


contents. 
Based 
Indexed 
mode 
is often 
used 
to access 
elements 
of a dynamic 


array 
(i.e., an array 
whose base address 


can change 
during 
execution). 
The base 


register 
points 
to the base of the array, 


and the value of the index register 
is used 
to select one element. 
(See 
figure 
2-13, 


example 
3.) 


• 
Based Indexed 
Mode with Displacement. 


The operand 
is located 
with the selected 
segment at an offset computed 
as the sum 


of a base 
register's 
contents, 
an 
index 


register's 
contents, 
and the displacement. 


This 
mode 
is 
often 
used 
to 
access 


elements 
of an array 
within 
a structure. 


For example, 
the structure 
could 
be an 


activation 
record 
(i.e., 
a region 
of the 
stack 
containing 
the register 
contents, 


parameters, 
and variables 
associated 
with 


one instance 
of a procedure); 
and 
one 
variable 
could 
be an array. 
The 
base 


register 
points to the start 
of the activa- 
tion 
record, 
the 
displacement 
expresses 


the distance 
from the start 
of the record 
to the beginning of the array variable, 
and 


the index 
register 
selects 
a particular 


element 
of the array. 
(See 
figure 
2-13, 


example 
4.) 


Table 
2-3 gives a summary 
of all memory 


operand 
addressing 
options. 


1. BASED MODE 


MOV AX, [BP ~ 
DATE-CODEJ 
ADD [BX + BALANCEJ, CX 


2. 
INDEXED MODE 


MOV 10 [51], OX 
SUB BX, DATA_TBL 
[SIJ 


3. 
BASED INDEXED 


MOV OX, [BPJ[OIJ 
AND [BX + SIJ, 3FFH 


) 


FIXED 
ARRAY 


I 


BASED 
ARRAY 


BASE 


+ 


SEGMENT 


4. 
BASED INDEXED MODE WITH DISPLACEMENT 


MOV CX, [BPJ[SI + CNTJ 
SHR [BX + 01 + MASKJ 


BASED 
STRUCTURE 
CONTAINING 
ARRAY 


+ 


DISPL 


Direct 
Register Indirect 
Based 
Indexed 
Based Indexed 
Based Indexed + Displacement 


2.5 INPUT/OUTPUT 


The iAPX 286 allows input/output 
to be 


performed in either of two ways: by means of 
a separate I/O address space (using specific 
I/O 
instructions) or by means of memory- 


mapped I/O (using general-purpose operand 
manipulation instructions). 


2.5.1 I/O Address Space 


The iAPX 
286 provides 
a separate 
I/O 
address space, distinct from physical memory, 
to address the input/output 
ports that 
are 
used for external devices. The I/O 
address 
space consists 
of 216 (64K) 
individually 


addressable 8-bit ports. Any two consecutive 
8-bit ports can be treated as a 16-bit port. 
Thus, the I/O address space can accommo- 
date up to 64K 8-bit ports or up to 32K 
16-bit ports. 


The iAPX 286 can transfer either 8 or 16 bits 
at a time to a device located in the I/O space. 
Like words in memory, 16-bit ports should be 
aligned at even-numbered addresses so that 
the 16 bits will be transferred 
in a single 


access. An 8-bit port may be located at either 
an even or odd address. The internal registers 
in a given peripheral controller device should 
be assigned addresses as shown below. 


Port Register 


16-bit 
a-bit; device on lower half 
of 16-bit data bus 
a-bit; device on upper half 
of 16-bit data bus 


16-bit Displacement in the instruction 
BX,SI,DI 
(BX or BP) + Displacement" 
(SI or 01) + Displacement" 
(BX or BP) + (SI or 01) 
(BX or BP) + (SI or 01) + Displacement" 


The I/O instructions IN and OUT (described 
in section 3.11.3) are provided to move data 
between I/O ports and the AX (I6-bit I/O) 
or AL (8-bit I/O) general registers. The block 
I/O instructions INS and OUTS (described 
in section 4.1) move blocks of data between 
I/O 
ports and memory 
space (as shown 
below). In Protected 
Mode, an operating 
system may prevent a program from execut- 
ing these I/O 
instructions. 
Otherwise, 
the 
function 
of the I/O 
instructions 
and the 
structure. of the I/O space are identical for 
both modes of operation. 


IHS 
e5:byte 
ptr 
[dil, 
DX 


OUTS 
DX, 
byte 
ptr 
[5il 


IN and OUT instructions address I/O with 
either a direct address to one of up to 256 port 
addresses, or indirectly via the DX register to 
one of up to 64K port addresses. Block I/O 
uses the DX register 
to specify 
the I/O 
address and either SI or DI to designate the 
source or destination memory address. For 
each transfer, 
SI or DI are either 
incre- 
mented or decremented as specified by the 
direction bit in the flag word while DX is 
constant to select the I/O device. 


Port Addresses 


even word addresses 
even byte addresses 


Example 


OUT 
FE,AX 
IN 
AL,FE 


2.5.2 
Memory-Mapped I/O 


I/O 
devices also may be placed 
in the iAPX 


286 memory 
address 
space. 
So long as the 


devices 
respond 
like memory 
components, 


they are indistinguishable 
to the processor. 


Memory-mapped 
I/O 
provides 
additional 


programming 
flexibility. 
Any instruction 
that 


references 
memory 
may be used to access an 


I/O 
port located 
in the memory 
space. 
For 


example, 
the MOV 
instruction 
can transfer 


data between 
any register 
and a port; and the 


AND, 
OR, 
and TEST 
instructions 
may 
be 


used to manipulate 
bits in the internal 
regis- 


ters of a device (see figure 
2-14). 
Memory- 


mapped 
I/O 
performed 
via the full instruc- 


tion 
set 
maintains 
the 
full 
complement 
of 


addressing 
modes 
for 
selecting 
the 
desired 


I/O 
device. 


Memory-mapped 
I/O, 
like any other memory 
reference, 
is subject 
to access protection 
and 


control when executing 
in protected 
mode. 


2.6 
INTERRUPTS AND EXCEPTIONS 


The iAPX 
286 architecture 
supports 
several 


mechanisms 
for interrupting 
program 
execu- 


tion. 
Internal 
interrupts 
are 
synchronous 


events that 
are the responses 
of the CPU 
to 


certain 
events detected 
during 
the execution 
of an instruction. 
External 
interrupts 
are 


asynchronous 
events 
typically 
triggered 
by 


external 
devices needing attention. 
The iAPX 


286 supports both maskable 
(controlled 
by the 


IF flag) 
and non-maskable 
interrupts. 
They 


cause the processor to temporarily 
suspend 
its 


present program 
execution 
in order to service 


the requesting 
device. The major 
distinction 
between these two kinds of interrupts 
is their 


origin: an internal 
interrupt 
is always 
repro- 


ducible by re-executing 
with the program 
and 


data 
that 
caused 
the 
interrupt, 
whereas 
an 
external 
interrupt 
is generally 
independent 
of 


the currently 
executing 
task. 


Application 
programmers 
will normally 
not be 


concerned 
with servicing 
external 
interrupts. 


More information 
on external 
interrupts 
for 
system programmers 
may be found in Chapter 


5, section 
5.2, "Interrupt 
Handling 
for Real 


Address 
Mode," 
and 
in Chapter 
9, "Inter- 


rupts, Traps and Faults 
for Protected 
Virtual 


Address 
Mode." 
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mterrupts. 
~lnternal 
mterrupts 
are 
the 
InstructIOn 
operatIOn 
code. 
A 
processor 


result of executing 
an instruction 
which causes 
extension 
error is generated 
when a processor 


the interrupt.) 
One type of interrupt 
is called 
extension 
detects 
an illegal 
operation. 
Refer 


an exception because the interrupt 
only occurs 
to Chapter 
5 for a more complete 
description 


if a particular 
fault condition exists. The other 
of these exception 
conditions. 
type of interrupt 
generates 
the interrupt 
every 


time the instruction 
is executed. 


The 
exceptions 
are: 
divide 
error, 
INTO 


detected overflow, 
bounds check, segment 


overrun, invalid operation code, and proces- 
sor extension error (see table 
2-4). A divide 


error exception 
results 
when the instructions 
DIV 
or 
IDIV 
are 
executed 
with 
a zero 


denominator; 
otherwise, 
the quotient 
will be 


too 
large 
for 
the 
destination 
operand 
(see 


section 
3.3.4 
for 
a discussion 
of DIV 
and 
IDIV). 
An overflow 
exception 
results 
when 


the INTO 
instruction 
is executed 
and the OF 
flag is set (after 
an arithmetic 
operation 
that 


set the overflow (OF) flag). (See section 3.6.3, 
"Software 
Generated 
Interrupts," 
for 
a 
discussion 
of INTO.) 
A bounds check excep- 
tion results 
when the BOUND 
instruction 
is 
executed 
and the array 
index it checks 
falls 
outside the bounds 
of the array. 
(See section 
4.2 for a discussion 
of the BOUND 
instruc- 
tion.) The segment 
overrun 
exception 
occurs 
when a word memory 
reference 
is attempted 


which extends 
beyond 
the end of a segment. 


The 
instruction 
INT 
generates 
an 
internal 
interrupt 
whenever 
it is executed. 
The effects 
of this interrupt 
(and the effects 
of all inter- 
rupts) 
is determined 
by the interrupt 
handler 
routines 
provided by the application 
program 
or as part 
of the system 
software 
(provided 
by system 
programmers). 
See Chapter 
5 for 
more on this topic. The INT instruction 
itself 
is discussed 
in section 3.6.3. 


In Protected 
Mode, 
many 
more fault 
condi- 
tions are detected 
and result in internal 
inter- 


rupts. 
Protected 
Mode 
interrupts 
and faults 
are discussed 
in Chapter 
10. 


2.7 
HIERARCHY OF INSTRUCTION SETS 


For 
descriptive 
purposes, 
the 
iAPX 
286 
instruction 
set is partitioned 
into three distinct 
subsets: 
the 
Basic 
Instruction 
Set, 
the 
Extended 
Instruction 
Set, 
and 
the 
System 
Control 
Instruction 
Set. The "hierarchy" 
of 


instruction 
sets defined 
by this 
partitioning 
helps to clarify 
the relationships 
between 
the 
various processors 
in the iAPX 86 family (see 
figure 2-15). 


Function 
Related Instructions 


- 


Divide error exception 
DIV,IDIV 


INTO detected overflow exception 
INTO 


BOUND range exceeded exception 
BOUND 


Invalid opcode exception 
An'! undefined opcode 


Segment overrun exception 
\"'~ord memory reference with offset = 
FFFF(H)or an attempt to execute past the 
end of a segment 


Processor extension error interrupt 
ESC or WAIT 


The 
Basic 
Instruction 
Set, 
presented 
in 
Chapter 
3, comprises 
the common 
subset 
of 


instructions 
found 
on all processors 
of the 


iAPX 86 family. Included 
are instructions 
for 
logical 
and 
arithmetic 
operations, 
data 
movement, 
input/output, 
string 
manipula- 
tion, and transfer 
of control. 


The 
Extended 
Instruction 
Set, 
presented 
in 
Chapter 
4, consists of those instructions 
found 


only on the iAPX 
186 and iAPX 
286 proces- 
sors. 
Included 
are 
instructions 
for 
block 
structured 
procedure 
entry and exit, parame- 
ter validation, 
and block I/O 
transfers. 


The 
System 
Control 
Instruction 
Set, 
presented 
in Chapter 
10, consists 
of those 
instructions 
unique 
to the iAPX 
286. These 
instructions 
control the memory 
management 
and protection 
mechanisms 
of the iAPX 
286. 
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CHAPTER 3 
BASIC INSTRUCTION SET 


The 
base 
architecture 
of the 
iAPX 
286 is 
identical to the complete instruction 
set of the 


iAPX 86, 88, and 186 processors. 
The iAPX 


286 instruction 
set includes new forms of some 


instructions. 
These new forms reduce program 


size and improve the performance 
and ease of 


implementation 
of source coce. 


This chapter 
describes 
the instructions 
which 
programmers 
can use to write 
application 


software 
for the 
iAPX 
286. 
The 
following 
chapters 
describe 
the 
operation 
of more 
complicated 
I/O 
and 
system 
control 


instructions. 


All instructions 
described 
in this chapter 
are 


available 
for both 
Real 
Address 
Mode 
and 
Protected 
Virtual 
Address 
Mode 
operation. 


The instruction 
descriptions 
note any differ- 


ences that 
exist between 
the operation 
of an 


instruction 
in these two modes. 


This chapter 
also describes 
the operation 
of 
each application 
program-relative 
instruction 


and includes an example 
of using the instruc- 


tion. The Instruction 
Dictionary 
in Appendix 
B contains 
formal 
descriptions 
of all instruc- 


tions. Any opcode pattern that is not described 
in the 
Instruction 
Dictionary 
results 
in an 


opcode violation trap (interrupt 
6). 


3.1 
DATA MOVEMENT INSTRUCTIONS 


These instructions 
provide convenient methods 


for moving 
bytes or words of data 
between 
memory 
and 
the 
registers 
of 
the 
base 


architecture. 


3.1.1 
General-Purpose Data Movement 
Instructions 


MOV (Move) transfers 
a byte or a word from 


the source operand to the destination 
operand. 


The MOV 
instruction 
is useful 
for transfer- 
ring 
data 
to a register 
from 
memory, 
to 
memory 
from 
a register, 
between 
registers, 


immediate-to-register, 
or 
immediate-to- 
memory. 
Memory-to-memory 
or segment 
register-to-segment 
register 
moves 
are not 
allowed. 


Example: 
MOV DS,AX 


Replaces 
the contents 
of register 
DS with the contents 
of register 
AX. 


XCHG 
(Exchange) 
swaps the contents 
of two 
operands. 
This instruction 
takes the place of 
three MOV instructions. 
It does not require 
a 
temporary 
memory 
location 
to 
save 
the 
contents 
of one operand 
while you load the 
other. 


The XCHG 
instruction 
can swap 
two byte 
operands or two word operands, 
but not a byte 
for a word or a word for a byte. The operands 
for the XCHG 
instruction 
may be two regis- 
ter operands, 
or a register 
operand 
with 
a 
memory operand. 


Example: 
XCHG 
BX,WORDOPRND 


Swaps the contents 
of register 
BX 
with the contents 
of the memory 
word 
identified 
by 
the 
label 
WORDOPRND 
after 
asserting 
bus lock. 


3.1.2 
Stack Manipulation Instructions 


PUSH 
(Push) 
decrements 
the 
stack 
pointer 
(SP) by two and then transfers 
a word from 
the 
source 
operand 
to 
the 
top 
of 
stack 
indicated 
by SP. 
See figure 
3-1. PUSH 
is 
often used to place parameters 
on the stack 


before calling a procedure; 
it is also the basic 
means of storing 
temporary 
variables 
on the 


stack. 
The PUSH 
instruction 
operates 
on 


memory 
operands, 
immediate 
memory 
operands 
(new 
with 
the 
iAPX 
286), 
and 


register 
operands 
(including 
segment 


registers ). 


, 
, 
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OPERANDS FROM 
PREVIOUS PUSH 
INSTRUCTIONS 


Example: 
PUSH 
WORDOPRND 


Transfers 
a l6-bit 
value from the 


memory 
word 
identified 
by the 


label 
WORDOPRND 
to 
the 


memory 
location 
which 
repre- 
sents 
the 
current 
top 
of stack 
(byte transfers 
are not allowed). 
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OPERAND 
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- 
SP ALWAYS 
POINTS TO 


THE LAST WORD PUSHED 
ONTO THE STACK 
(TOS) 


SS ALWAYS 
POINTS TO 
LOWEST ADDRESS USED BY 
THE STACK 


PUSHA 
(Push 
All 
Registers) 
saves 
the 


contents 
of the eight general 
registers 
on the 


stack. See figure 3-2. This instruction 
simpli- 


fies procedure 
calls by reducing 
the number 


of instructions 
required 
to retain the contents 


of the general 
registers 
for use in a proce- 


dure. 
PUSHA 
is complemented 
by POP A 


(see below). 
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OPERANDS FROM 
PREVIOUS PUSH 
INSTRUCTIONS 


The processor 
pushes the general 
registers 
on 
the stack in the following order: AX, ex, DX, 
BX, the initial 
value of SP before 
AX was 
pushed, BP, SI, and DI. 


Example: 
PUSHA 


Pushes onto the stack the contents 
of the eight general 
registers. 
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the 
contents 
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memory location 
at the top of 
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two to point to the new top of stack. See 
figure 3-3. POP moves information from the 
stack to either a register or memory. The only 
restriction on POP is that it cannot place a 
value in register CS. 
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OPERANDS FROM 
PREVIOUS PUSH 
INSTRUCTIONS 


POP A 
(Pop 
All 
Registers) 
restores 
the 
registers 
saved on the stack by PUSHA, 
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except 
that 
it ignores 
the value 
of SP. See 


figure 3-4. 


Example: 
POP A 


Pops 
from 
the 
stack 
the 
saved 
contents 
of the general 
registers, 


and restores 
the registers 
(except 
SP) to their original 
state. 


3.2 
FLAG OPERATION WITH THE BASIC 
INSTRUCTION SET 


The status flags of the FLAGS 
register reflect 
conditions 
that 
result 
from 
a 
previous 


, 
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AX 


ex 


OX 


BX 


5P 


BP 


51 


01 


, 
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instruction 
or instructions. 
The arithmetic 
instructions 
use OF, SF, ZF, AF, PF, and CF. 


The SCAS 
(Scan 
String), 
CMPS 
(Compare 
String), 
and 
LOOP 
instructions 
use ZF 
to 
signal that their operations 
are complete. 
The 
base architecture 
includes 
instructions 
to set, 
clear, 
and complement 
CF before 
execution 
of an arithmetic 
instruction. 
See figure 
3-4a 
and tables 3-1 and 3-2. 


3.2.2 
Control Flags 


The 
control 
flags 
of the 
FLAGS 
register 
determine 
processor 
operations 
for string 
instructions, 
maskable 
interrupts, 
and 
debugging. 
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STATUS 
FLAGS: 


CARRY 


PARITY 


AUXILIARY 
CARRY 


ZERO 
--------------- 


SIGN 


OVERFLOW 


CONTROL FLAGS: 


---------- 
TRAP FLAG 


------------ 
INTERRUPT ENABLE 


-------------- 
DIRECTION FLAG 


SPECIAL FIELDS: 


I/O 
PRIVILEGE LEVEL 


NESTED TASK FLAG 


Setting 
DF 
(direction 
flag) 
causes 
string 


instructions 
to auto-decrement; 
that 
is, to 
process 
strings 
from 
high 
addresses 
to low 


addresses, 
or from 
"right-to-left." 
Clearing 
DF causes 
string 
instructions 
to auto-incre- 
ment, 
or to process 
strings 
from 
"left-to- 
right. " 


Setting IF (interrupt flag) 
allows the CPU to 


recognize 
external 
(maskable) 
interrupt 
requests. 
Clearing 
IF 
disables 
these 
inter- 
rupts. 
IF has no effect 
on either 
internally 
generated 
interrupts, 
nonmaskable 
external 
interrupts, 
or processor 
extension 
segment 
overrun interrupts. 


Setting 
TF (trap flag) 
puts the processor 
into 


single-step 
mode for debugging. 
In this mode, 
the CPU automatically 
generates 
an internal 
interrupt 
after 
each 
instruction, 
allowing 
a 


program 
to be inspected 
as it executes 
each 
instruction, 
instruction 
by instruction. 


3.3 
ARITHMETIC INSTRUCTIONS 


The arithmetic 
instructions 
of the iAPX 
86- 
family 
processors 
simplify 
the manipulation 
of numerical 
data. Multiplication 
and division 
instructions 
ease the handling 
of signed 
and 
unsigned 
binary integers 
as well as unpacked 
decimal integers. 


An arithmetic 
operation 
may consist 
of two 
register 
operands, 
a general 
register 
source 


operand 
with a memory 
destination 
operand, 


a memory 
source 
operand 
with 
a register 
destination 
operand, 
or an immediate 
field 


with either 
a register 
or memory 
destination 


operand, 
but 
not 
two 
memory 
operands. 


Arithmetic 
instructions 
can operate 
on either 
byte or word operands. 


Bit 
Name 
Function 
Position 


0 
CF 
Carry Flag-Set on high-orderbit 
carry or borrow; cleared other- 
wise 


2 
PF 
Parity Flag-Set 
if low-order 
II 
eight bits of result contain an 
even number of 1 bits; cleared 
otherwise 


4 
AF 
Set on carry from or borrow to 
the low order four bits of AL; 
cleared otherwise 


6 
ZF 
Zero Flag-Set 
if result is zero; 
cleared otherwise 


7 
SF 
Sign Flag-Set 
equal to high- 
order bit of result (0 if positive, 1 
if negative) 


11 
OF 
Overflow Flag-Set 
if result is 
too-large a positive number or 
too-small 
a negative 
number 
(excluding 
sign-bit) 
to 
fit 
in 
destination 
operand; 
cleared 
otherwise 


Bit 
Name 
Function 
Position 


8 
TF 
Single Step Flag-Once 
set, a 
single step interrupt occurs after 
the next instruction executes. TF 
is cleared by the single step 
interrupt. 


9 
IF 
Interrupt-enableFlag-When set, 
maskableinterruptswill causethe 
CPU to transfer 
control to an 
interrupt 
vector-specified 
location. 


10 
DF 
Direction Flag-Causes 
string 
instructions to auto decrement 
the appropriate index registers 
when set. Clearing DF causes 
auto increment. 


3.3.1 Addition Instructions 


ADD (Add Integers) 
replaces 
the destination 
operand 
with the sum of the source and desti- 
nation 
operands. 
ADD 
affects 
OF, SF, AF, 


PF, CF, and ZF. 


Example: 
ADD BL, BYTEOPRND 


Adds the contents 
of the memory 
byte 
labeled 
BYTEOPRND 
to 
the contents 
of BL, and replaces 
BL with the resulting 
sum. 


ADC 
(Add 
Integers 
with 
Carry) 
sums 
the 
operands, 
adds one if CF is set, and replaces 
the destination 
operand 
with the result. ADC 
can be used to add numbers 
longer 
than 
16 
bits. 
ADC 
affects 
OF, 
SF, 
AF, 
PF, 
CF, 
and ZF. 


Example: 
ADC BX, CX 


Replaces 
the 
contents 
of 
the 
destination 
operand 
BX with the 
sum of BX, CS, and 
1 (if CF is 
set). 
If 
CF 
is 
cleared, 
ADC 
performs 
the 
same 
operation 
as 
the ADD instruction. 


INC 
(Increment) 
adds one to the destination 
operand. 
The processor 
treats 
the operand 
as 
an unsigned binary number. 
INC updates AF, 


OF, PF, SF, and ZF, but it does not affect 
CF. Use ADD with an immediate 
value of 1 
if an increment 
that 
updates 
carry 
(CF) 
is 
needed. 


Example: 
INC BL 


Adds 1 to the contents 
of BL. 


3.3.2 Subtraction Instructions 


SUB (Subtract 
Integers) 
subtracts 
the source 
operand 
from 
the 
destination 
operand 
and 
replaces 
the destination 
operand 
with 
the 
result. 
If a borrow. is required, 
carry 
flag is 
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contents 
of AL and returns 
the double-length 
result to AH and AL. 


Example: 
SUB WORDOPRND, 
AX 


Replaces 
the contents 
of the des- 
tination 
operand 
WORDOPRND 
with 
the 
result 
obtained 
by 
subtracting 
the 
contents 
of AX 
from the contents 
of the memory 
word labeled WORDOPRND. 


SBB 
(Subtract 
Integers 
with 
Borrow) 
subtracts 
the source operand 
from the desti- 
nation operand, 
subtracts 
1 if CF is set, and 
returns 
the result to the destination 
operand. 
The operands may be signed or unsigned bytes 
or words. 
SBB 
may 
be used 
to subtract 
numbers 
longer than 
16 bits. This instruction 
affects 
OF, 
SF, ZF, 
AF, PF, 
and CF. 
The 
carry flag is set if a borrow is required. 


Example: 
SBB BL, 32 


Subtracts 
32 from the contents 
of 
BL 
and 
then 
decrements 
the 
result of this subtraction 
by one if 
CF is set. If CF is cleared, 
SBB 
performs 
the 
same 
operation 
as SUB. 


DEe 
(Decrement) 
subtracts 
1 from the desti- 
nation 
operand. 
DEC 
updates 
AF, OF, 
PF, 
SF, and ZF, but it does not affect 
CF. Use 
SUB with an immediate 
value of 1 to perform 
a decrement 
that affects carry. 


Example: 
DEC BX 


Subtracts 
1 from the contents 
of 
BX 
and 
places 
the 
result 
back 
in BX. 


3.3.3 
Multiplication 
Instructions 


MUL 
(Unsigned 
Integer 
Multiply) 
performs 
an unsigned 
multiplication 
of the 
source 


If the source operand 
is a word, the processor 
multiplies 
it by the 
contents 
of AX 
and 
returns 
the double-length 
result 
to DX and 
AX. MUL 
sets CF and OF to indicate 
that 
the upper half of the result is nonzero; 
other- 
wise, they are cleared. 
This instruction 
leaves 
SF, ZF, AF, and PF undefined. 


Example: 
MUL 
BX 


Replaces 
the contents 
of DX and 
AX with the product 
of BX and 
AX. The low-order 
16 bits of the 
result replace the contents 
of AX; 
the high-order 
word goes to DX. 
The processor 
sets CF and OF if 
the unsigned result is greater 
than 
16 bits. 


IMUL 
(Signed 
Integer 
Multiply) 
performs 
a 
signed 
multiplication 
operation. 
IMUL 
uses 
AX and DX in the same way as the 
MUL 
instruction, 
except when used in the immedi- 
ate form. 


The 
immediate 
form 
of IMUL 
allows 
the 
specification 
of a destination 
register 
other 
tha~ the combination 
of DX and AX. In this 
casd, the result cannot exceed 16 bits without 
causing an overflow. If the immediate 
operand 
is a byte, the processor 
automatically 
extends 
it 
to 
16 
bits 
before 
performing 
the 
multiplication. 


The immediate 
form of IMUL 
may also be 
used with unsigned 
operands 
because 
the low 
16 bits of a signed or unsigned 
multiplication 
of two 16-bit values will always be the same. 


IMUL 
clears CF and OF to indicate 
that the 
upper half of the result is the sign of the lower 


half. This instruction 
leaves SF, ZF, AF, and 
PF undefined. 


Example: 
IMUL 
BL 


Replaces 
the contents 
of AX with 
the product 
of BL and AL. The 
processor 
sets CF and OF if the 
result is more than 8 bits long. 


Example: 
IMUL 
BX, SI, 5 


Replaces 
the contents 
of BX with 
the product 
of the contents 
of SI 


and an immediate 
value of 5. The 
processor 
sets CF and OF if the 
signed 
result 
is 
longer 
than 
16 bits. 


3.3.4 
Division Instructions 


DIV 
(Unsigned 
Integer 
Divide) 
performs 
an 


unsigned 
division of the accumulator 
by the 


source 
operand. 
If the 
source 
operand 
is a 
byte, 
it is divided 
into 
the 
double-length 


dividend 
assumed 
to be in registers 
AL and 


AH 
(AH 
= most 
significant 
byte; 
AL = 
least 
significant 
byte). 
The 
single-length 
quotient 
is returned 
in AL, 
and the single- 
length remainder 
is returned 
in AH. 


If the source operand 
is a word, it is divided 


into the double-length 
dividend 
in registers 


AX and 
DX. 
The 
single-length 
quotient 
is 
returned 
in 
AX, 
and 
the 
single-length 
remainder 
is returned 
in DX. 
Non-integral 
quotients 
are truncated 
to integers 
toward 
O. 
The 
remainder 
is 
always 
less 
than 
the 
quotient. 


For 
unsigned 
byte 
division, 
the 
largest 
quotient 
is 255. For unsigned 
word division, 


the largest quotient 
is 65,535. DIY leaves OF, 
SF, ZF, 
AF, PF, and CF undefined. 
Inter- 
rupt (INT 
0) occurs 
if the divisor is zero or 
if the quotient 
is too large for AL or AX. 


Example: 
DIY BX 


Replaces 
the contents 
of AX with 
the 
unsigned 
quotient 
of 
the 
doubleword 
value 
contained 
in 
DX and AX, divided by BX. The 
unsigned 
modulo 
replaces 
the 
contents 
of DX. 


Example: 
DIY BL 


Replaces 
the contents 
of AL with 
the unsigned 
quotient 
of the word 
value in AX, divided by BL. The 
unsigned 
modulo 
replaces 
the 
contents 
of AH. 


IDIV 
(Signed 
Integer 
Divide) 
performs 
a 
signed 
division 
of the 
accumulator 
by 
the 
source operand. 
IDlY uses the same registers 
as the DIY instruction. 


For 
signed 
byte 
division, 
the 
maximum 
positive quotient 
is + 127 and the minimum 
negative 
quotient 
is -128. For signed 
word 
division, 
the 
maximum 
positive 
quotient 
is 
+32,767 and the minimum 
negative 
quotient 
is 
- 32,768. 
Non-integral 
results 
are 
truncated 
towards 
O. The 
remainder 
will 
always have the same sign as the dividend and 
will be less than 
the 
divisor 
in magnitude. 
IDlY 
leaves OF, 
SF, ZF, 
AF, 
PF, 
and CF 
undefined. 
A division by zero causes an inter- 
rupt (INT 
0) to occur if the divisor is 0 or if 
the quotient 
is too large for AL or AX. 


Example: 
IDlY WORDOPRND 


Replaces 
the contents 
of AX with 
the signed quotient 
of the double- 
word value contained 
in DX and 
AX, 
divided 
by 
the 
value 
contained 
in the 
memory 
word 
labeled 
WORDOPRND. 
The 
signed 
modulo 
replaces 
the 
contents 
of DX. 


3.4 
LOGICAL INSTRUCTIONS 


The group of logical instructions includes the 
Boolean operation 
instructions, 
rotate and 


shift instructions, 
type conversion instruc- 


tions, 
and 
the 
no-operation 
(NOP) 


instruction. 


3.4.1 
Boolean Operation Instructions 


Except for the NOT and NEG instructions, 
the Boolean operation instructions can use two 
register operands, a general purpose register 
operand with a memory operand, an immedi- 
ate operand with a general purpose register 
operand, or a memory operand. The NOT and 
NEG instructions are unary operations that 
use a single operand in a register or memory. 


AND (And) performs the logical "and" of the 
operands (byte or word) and returns the result 
to the destination operand. AND clears OF 
and DF, leaves AF undefined, and updates 
SF, ZF, and PF. 


Example: 
AND WORDOPRND, 
BX 


Replaces 
the 
contents 
of 


WORDOPRND 
with the logical 


"and" 
of 
the 
contents 
of 


the 
memory 
word 
labeled 


WORDOPRND 
and the contents 


ofBX. 


NOT 
(Not) inverts the bits in the specified 
operand to form a one's complement of the 
operand. NOT has no effect on the flags. 


Example: 
NOT BYTEOPRND 


Replaces the original contents of 
BYTEOPRND 
with the one's 


complement of the contents of 
the 
memory 
word 
labeled 


BYTEOPRND. 


OR (Or) performs the logical "inclusive or" 
of the two operands and returns the result to 
the destination operand. OR clears OF and 
DF, leaves AF undefined, and updates SF, 
ZF, and PF. 


Example: 
OR AL,5 


Replaces the original contents of 
AL with the logical "inclusive or" 
of the contents of AL and the 
immediate value 5. 


XOR 
(Exclusive 
OR) 
performs the logical 


"exclusive or" of the two operands and returns 
the result to the destination operand. XOR 
clears OF and DF, leaves AF undefined, and 
updates SF, ZF, and PF. 


Example: 
XOR DX, WORDOPRND 


Replaces the original contents of 
DX with the logical "exclusive or" 
or the contents of DX and the 
contents 
of the memory 
word 
labeled WORDOPRND. 


NEG 
(Negate) forms a two's complement of 
a signed byte or word operand. The effect of 
NEG is to reverse the sign of the operand 
from positive to negative or from negative to 
positive. NpG updates OF, SF, ZF, AF, PE, 
and CF. 


Example: 
NEG AX 


Replaces the original contents of 
AX with the two's complement of 
the contents of AX. 


3.4.2 
Shift and Rotate Instructions 


The shift and rotate instructions reposition the 
bits within the specified operand. The shift 
instructions 
provide a convenient 
way to 
accomplish 
division or multiplication 
by 


binary power. The rotate 
instructions 
are 
useful for bit testing. 


3.4.2.1 
SHIFT INSTRUCTIONS 


The bits in bytes and words may be shifted 
arithmetically 
or logically. 
Depending 
on the 


value of a specified count, up to 31 shifts may 
be performed. 


A shift instruction 
can specify 
the count 
in 


one of three ways. One form of shift instruc- 
tion implicitly 
specifies 
the count 
as a single 


shift. The second form specifies the count as 
an immediate 
value. The third form specifies 


the count as the value contained 
in CL. This 


last 
form 
allows 
the 
shift 
count 
to 
be 
a 


variable 
that 
the program 
supplies 
during 


execution. 


Shift instructions 
affect 
the flags as follows. 


AF is always 
undefined 
following 
a shift 


operation. 
PF, 
SF, 
and 
ZF 
are 
updated 
normally 
as in the logical instructions. 


CF always contains 
the value of the last bit 


shifted 
out of the destination 
operand. 
In a 


single-bit 
shift, OF is set if the value of the 
high-order 
(sign) 
bit was changed 
by the 


operation. 
Otherwise, 
OF is cleared. 
Follow- 


ing a multibit 
shift, however, 
the content 
of 
OF is always undefined. 


SAL 
(Shift 
Arithmetic 
Left) 
shifts the desti- 
nation byte or word operand 
left by one or by 
the 
number 
of bits 
specified 
in the 
count 
operand 
(an 
immediate 
value 
or the 
value 


contained 
in CL). The processor 
shifts zeros 
in from the right side of the operand 
as bits 
exit from the left side. See figure 3-5. 


Example: 
SAL BL,2 


Shifts 
the contents 
of BL left by 
2 bits and replaces 
the two low- 
order bits with zeros. 


Example: 
SAL BL,l 


Shifts the contents 
of BL left by 
I bit and replaces 
the low-order 
bit 
with 
a 
zero. 
Because 
the 
processor does not have to decode 
the immediate 
count 
operand 
to 
obtain 
the shift count, 
this form 
of the 
instruction 
takes 
2 clock 
cycles 
rather 
than 
the 
6 clock 
cycles 
(5 cycles + 
1 cycle 
for 
each bit shifted) 
required 
by the 
previous example. 


SHL 
(Shift 
Logical 
Left) 
is physically 
the 
same instruction 
as SAL (see SAL above). 


SHR 
(Shift 
Logical 
Right) 
shifts 
the desti- 
nation 
byte or word operand 
right by one or 
by the number 
of bits specified 
in the count 
operand 
(an 
immediate 
value 
or the 
value 
contained 
in CL). 
The processor 
shifts zeros 
in from the left side of the operand 
as bits 
exit from the right side. See figure 3-6. 


BEFORE 
SAL OR 
SHL 


AFTER 
SALOR 
SHL BY 
1 BIT 


AFTER 
SAL OR 
SHL BY 
8 BITS 


Both SAL and SHL shift the bits In the register 
or memory 
operand 
to the left by the specified 
number 
of bit positions. 
CF receives 
the 
I.st 
bit shifted 
out of the left of the operand. 
SAL and SHL shift 
In zeros to fill the vacated 
bit locations. 
These Instructions 
operate 
on 
byte opersnd8 
88 well 88 word operands. 


Example: 
SHR 
BYTEOPRND, 
CL 


Shifts the contents 
of the memory 
byte labeled BYTEOPRND 
right 


by the number 
of bits specified 
in 


CL, 
and 
pads 
the 
left 
side 
of 


BYTEOPRND 
with 
an 
equal 


number 
of zeros. 


SAR 
(Shift 
Arithmetic 
Right) 
shifts 
the 
destination 
byte or word operand 
to the right 


by one or by the number 
of bits specified 
in 


the count operand 
(an immediate 
value or the 


value 
contained 
in 
CL). 
The 
processor 


preserves 
the sign of the operand 
by shifting 


in zeros on the left side if the value is positive 
or by shifting by ones if the value is negative. 
See figure 3-7. 


Example: 
SAR WORDPRND, 
I 


Shifts the contents 
of the memory 


byte labeled 
WORDPRND 
right 


by one, 
and 
replaces 
the 
high- 


order sign bit with a value equal 
to 
the 
original 
sign 
of 


WORDPRND. 


0 


BEFORE 
SHR 


D 


AFTER 
SHR BY 
1 BIT 


D 


AFTER 
SHR BY 
10 BITS 


CF 


SHR shifts 
the bits 
In the register 
or memory 
operand 
to the right 
by the specified 
number 
01 bit positions. 
CF receives 
the I.st 
bit shifted 
out of the right of the operand. 
SHR shifts In zeros to fill the vacated 
bit locations. 
This Instruction 
operates 
on byte operands 
8S well 8S 
word operands. 


BEFORE 
0 


SAR 
WITH A 
POSITIVE 
OPERAND 
AFTER 
SAR 
[] 


WITH A 
POSITIVE 
OPERAND 
SHIFTED 
1 BIT 


0 


BEFORE 
SARWITH 
A NEGATIVE 
OPERAND 


AFTER 
SAR 
G 


WITH A 
NEGATIVE 
OPERAND 
SHIFTED 


OPERAND 
CF 
6 BITS 


KOtate Insuuctlons 
alluw 
UIlS 
III 
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dllU 
words to be rotated. 
Bits rotated 
out of an 
operand 
are 
not lost as in a shift, 
but 
are 
"circled" 
back 
into the 
other 
"end" 
of the 
operand. 


Rotates 
affect 
only the 
carry 
and 
overflow 


flags. 
CF 
may 
act 
as an extension 
of the 


operand 
in two 
of the 
rotate 
instructions, 


allowing 
a bit to be isolated 
and then tested 


by a conditional 
jump 
instruction 
(JC 
or 
JNC). 
CF always 
contains 
the value 
of the 
last bit rotated out, even if the instruction 
does 


not use this bit as an extension 
of the rotated 


operand. 


In single-bit 
rotates, 
OF is set if the operation 


changes the high-order 
(sign) bit of the desti- 


nation 
operand. 
If the 
sign 
bit 
retains 
its 


ROL 
(Rotate 
Left) 
rotates 
the byte or word 
destination 
operand 
left 
by one 
or by the 
number of bits specified in the count operand 
(an immediate 
value or the value contained 
in CL). For each rotation 
specified, 
the high- 
order 
bit 
that 
exists 
from 
the 
left 
of the 
operand 
returns 
at the right 
to become 
the 
new 
low-order 
bit 
of 
the 
operand. 
See 
figure 3-8. 


Example: 
ROL AL, 8 


Rotates the contents of AL left by 
8 bits. 
This 
rotate 
instruction 
returns AL to its original state but 
isolates 
the low-order 
bit in CF 
for 
testing 
by 
a 
JC 
or 
JNC 
instruction. 


ROL shifts the bits in the memory 
or register 
operand 
to the left by the specified 
number 
of bit positions. 
It copies 
the bit Shifted 
out of 
the left of the operand 
Into the right of the operand. 
The last bit shifted 
Into the least significant 
bit of the operand 
also appear. 
in CF. 
This Instruction 
also operates 
on byte operands. 


ROR (Rotate Right) rotates 
the byte or word 


destination 
operand 
right 
by one or by the 


number of bits specified in the count operand 
(an immediate 
value or the value contained 


in CL). 
For each rotation 
specified, 
the low- 


order 
bit 
that 
exits 
from 
the 
right 
of the 


operand 
returns 
at the left to become the new 
high-order 
bit 
of 
the 
operand. 
See 


figure 3-9. 


Example: 
ROR WORDOPRND, 
CL 


Rotates 
(he 
contents 
of 


the 
memory 
word 
labeled 


WORDOPRND 
by the 
number 
of bits 
specified 
by the 
value 
contained 
in CL. CF reflects 
the 
value of the last bit rotated 
from 


the right 
to the 
left 
side of the 
operand. 


0 
BEFORE ROR 


G 
AFTER ROR BY 1 BIT 


~ 
AFTER ROR BY 8 BITS 


OPERAND 
CF 


ROA shitt. 
the bits In the memory 
or register 
operand 
to the right by the specified 
number 
of bit positions. 
It copies 
each 
bit shifted 
out 
of the right of the operand Into the left of the operand. 
The last bit shifted 
Into the most significant 
bit of the operand 
also appears In 
CF. This Instruction 
also operates 
on byte operands. 


RCL (Rotate Through Carry Left) rotates bits 
in the byte or word destination operand left 
by one or by the number of bits specified in 
the count operand (an immediate value or the 
value contained in CL). 


as the low-order bit on the next rotation cycle. 
See figure 3-10. 


This instruction differs form ROL in that it 
treats CF as a high-order I-bit extension of 
the destination operand. Each high-order bit 
that exits from the left side of the operand 
moves to CF before it returns to the operand 


Example: 
RCL BX,l 


Rotates the contents of BX left by 
one bit. The high-order bit of the 
operand 
moves 
to 
CF, 
the 
remaining 15 bits move left one 
position, and the original value of 
CF becomes the new low-order 
bit. 


RCl ,otatea 
the blta In the memo,y 
0' ,eglate, 
operand 
to the leflln 
the aama way aa ROl except 
that RClt,eata 
CF aa a l·blt 
extenalon 
of the operand. 
Note that a 16-blt RCl produceathe 
aame reault aa a 1-blt RCR (though 
Ittakea 
much longer 
to execute). 
Thla Inat'uctlon 
al80 operate. 
on byte operandI. 


OILS m me oyle or worn aeSlmatIOn operand 
right by one or by the number 
of bits speci- 


fied in the count operand 
(an immediate 
value 


or the value contained 
in CL). 


This instruction 
differs 
from ROR 
in that 
it 


treats CF as a low-order 
I-bit extension of the 


destination 
operand. 
Each low-order 
bit that 


exits from the right side of the operand 
moves 
to CF before it returns 
to the operand 
as the 


Example: 
RCR BYTEOPRND,3 


Rotates 
the 
contents 
of 
the 


memory 
byte 
labeled 
BYTEOPRND 
to the right 
by 3 


bits. 
Following 
the 
execution 
of 


this 
instruction, 
CF 
reflects 
the 
original 
value of bit number 
5 of 


BYTEOPRND, 
and the original 
value of CF becomes bit 2. 


Ll 


BEFORE RCR 


~ 
AFTER RCR BY 1 BIT 


~ 
AFTER RCR BY 3 BITS 


OPERAND 
CF 


InstruCtions 


The 
type 
conversion 
instructions 
prepare 
operands 
for division. The NOP instruction 
is 
a I-byte 
filler instruction 
with no effect 
on 
registers 
or flags. 


CWD 
(Convert 
Word 
to 
Double-Word) 
extends 
the sign of the word in register 
AX 
throughout 
register DX. CWD does not aff.ect 


any flags. 
CWD 
can be used 
to produce 
a 
double-length 
(double-word) 
dividend 
from a 
word before a word division. 


CBW (Convert Byte to Word) extends the sign 
of the byte in register 
AL throughout 
AX. 
CBW does not affect any flags. 


Example: 
CWD 


Sign-extends 
the 
16-bit 
value 
in 
AX to a 32-bit value in DX and 
AX 
with 
the 
high-order 
16-bits 
occupying 
DX. 


NOP 
(No 
Operation) 
occupies 
a byte 
of 
storage 
but 
affects 
nothing 
but the instruc- 
tion pointer, 
IP. The amount 
of time that 
a 
NOP instruction 
requires 
for execution 
varies 
in proportion 
to the CPU clocking 
rate. ,This 
variation 
makes 
it inadvisable 
to use NOP 
instructions 
in the construction 
of timing loops 
because the operation 
of such a program 
will 
not be independent 
of the system 
hardware 
configuration. 


Example: 
NOP 


The processor 
performs 
no opera- 
tion for 2 clock cycles. 


The test and compare 
instructions 
are similar 
in that 
they 
do not 
alter 
their 
operands. 
Instead, 
these 
instructions 
perform 
opera- 
tions 
that 
only set the 
appropriate 
flags 
to 
indicate 
the 
relationship 
between 
the two 
operands. 


tne twO opera nus, 
\.;Il;al~ vr 
i:1I1ULH, 
1\"an,i> 
AF undefined, 
and updates 
SF, ZF, and PF. 
The difference 
between 
TEST 
and AND 
is 
that 
TEST 
does 
not alter 
the 
destination 
operand. 


Performs 
a logical "and" 
and sets 
SF, ZF, and PF according 
to the 
results 
of this 
operation. 
The 
contents 
of 
BL 
remain 
unchanged. 


CMP (Compare) subtracts 
the source operand 
from the destination 
operand. 
It updates 
OF, 
SF, ZF, AF, PF, and CF but does not alter 
the source and destination 
operands. 
A subse- 
quent signed or unsigned 
conditional 
transfer 
instruction 
can 
test 
the 
result 
using 
the 
appropriate 
flag result. 


CMP 
can compare 
two register 
operands, 
a 
register 
operand 
and 
a memory 
operand, 
a 
register 
operand 
and an immediate 
operand, 
or an immediate 
operand 
and 
a memory 
operand. The operands may be words or bytes, 
but CMP cannot compare 
a byte with a word. 


Example: 
CMP BX,32 


Subtracts 
the immediate 
operand, 
32, from the contents 
of BX and 
sets OF, SF, ZF, AF, PF, and CF 
to reflect the result. The contents 
of BX remain 
unchanged. 


3.6 CONTROL TRANSFER INSTRUCTIONS 


The iAPX 286 provides both conditional 
and 
unconditional 
program 
transfer 
instructions 
to 
direct 
the 
flow of execution. 
Conditional 
program 
transfers 
depend 
on the 
results 
of 
operations 
that 
affect 
the 
flag 
register. 


Unconditional 
program 
transfers 
are always 
executed. 


3.6.1 
Unconditional 
Transfer 
Instructions 


JMP, 
CALL, 
RET, 
INT 
and IRET 
instruc- 


tions transfer 
control 
from one code segment 
location 
to another. 
These 
locations 
can be 


within the same code segment 
or in different 


code segments. 


3.6.1.1 
JUMP INSTRUCTION 


JMP 
(Jump) unconditionally 
transfers 
control 


to the 
target 
location. 
JMP 
is a one-way 


transfer 
of execution; it does not save a return 


address on the stack. 


The 
JMP 
instruction 
always 
performs 
the 


same 
basic 
function 
of transferring 
control 


from the current 
location 
to a new location. 


Its implementation 
varies 
depending 
on the 


following factors: 


• 
Is the address specified directly within the 
instruction 
or indirectly 
through 
a regis- 


ter or memory. 


• 
Is the target location inside or outside the 
current 
code segment 
selected 
in CS? 


A direct 
JMP 
instruction 
includes 
the desti- 
nation 
address 
as part of the instruction. 
An 
indirect 
JMP 
instruction 
obtains 
the destina- 
tion address indirectly 
through 
a register 
or a 
pointer variable. 


Control 
transfers 
through 
a gate or to a task 


state segment 
are available 
only in Protected 


Mode operation of the iAPX 286. The formats 
of the 
instructions 
that 
transfer 
control 
through 
a call gate, a task gate, or to a task 


state 
segment 
are 
the 
same. 
The 
label 
included in the instruction 
selects one of these 
three paths to a new code segment. 


Direct JMP 
within the current code segment. 


A direct JMP that transfers 
control to a target 
location within the current 
code segment 
uses 


a relative displacement 
value contained 
in the 
instruction. 
This can be either 
a 16-bit value 


or an 8-bit value sign extended 
to 16 bits. The 
processor forms an effective address by adding 
this 
relative 
displacement 
to the 
address 
contained 
in IP. IP refers to the next instruc- 
tion when the additions 
are performed. 


Example: 
JMP NEAR_NEWCODE 


Transfers 
control 
to 
the 
target 
location 
labeled 
NEAILNEWeODE, 
which 
is 
within the code segment currently 
selected in CS. 


Indirect 
JMP 
within 
the 
current 
code 
segment. 
Indirect 
JMP 
instructions 
that 
transfer 
control 
to a location 
within 
the 
current 
code 
segment 
specify 
an absolute 
address 
in one of several 
ways. 
First, 
the 
program 
can JMP 
to a location 
specified 
by 
a 16-bit register 
(any of AX, DX, ex, 
BX, 
BP, SI, or DI). The processor 
moves this 16- 
bit value into IP and resumes 
execution. 


Example: 
JMP 
SI 


Transfers 
control 
to the 
target 
address formed by adding the 16- 
bit value 
contained 
in SI to the 
base address 
contained 
in es. 


The processor 
can also obtain the destination 
address 
within 
a current 
segment 
from 
a 
memory 
word 
operand 
specified 
in 
the 
instruction. 


Example: 
JMP PTR_X 


Transfers 
control 
to the target 
address formed by adding the 16- 
bit value contained 
in the memory 
word labeled 
PTR 
X to the base 
address contained 
in es. 


A register 
can 
modify 
the 
address 
of the 
memory 
word pointer 
to select a destination 
address. 


Example: 
JMP 
CASE_TABLE 
[BX] 


CASE_TABLE 
is the first word 


in an array of word pointers. 
The 
value 
of BX determines 
which 
pointer 
the program 
selects from 
the 
array. 
The 
JMP 
instruction 
then 
transfers 
control 
to 
the 
location 
specified 
by the selected 
pointer. 


Direct JMP 
outside 
of the current 
code 


segment. Direct JMP instructions 
that specify 


a target 
location 
outside 
the 
current 
code 


segment 
contain 
a full 
32-bit 
pointer. 
This 


pointer consists of a selector for the new code 
segment 
and 
an 
offset 
within 
the 
new 


segment. 


Places 
the 
selector 
contained 
in 
the 
instruction 
into CS 
and 
the 
offset 
into 
IP. 
The 
program 
resumes execution 
at this location 
in the new code segment. 


Indirect JMP outside of the current code 
segment. 
Indirect 
JMP 
instructions 
that 


specify a target 
location 
outside 
the current 


code segment 
use a double-word 
variable 
to 


specify the pointer. 


Example: 
JMP 
NEWCODE 


NEWCODE 
the first word of two 
consecutive 
words 
in 
memory 
which represent 
the new pointer. 


NEWCODE 
contains 
the 
new 
offset for IP and the word follow- 
ing 
NEWCODE 
contains 
the 
selector 
for 
CS. 
The 
program 
resumes execution 
at this location 


in 
the 
new 
code 
segment. 


(Protected 
mode 
programs 
treat 


this 
differently. 
See 
Chapters 
6 
and 7). 


Direct JMP 
outside 
of the current 
code 


segment to a call gate. If the selector included 
with the instruction 
refers to a call gate, then 
the processor ignores the offset in the instruc- 
tion and takes the pointer of the routine being 
entered 
from the call gate. 


JMP 
outside 
of current 
code 
segment 
may 


only go to the same level. 


The 
selector 
in the 
instruction 
refers 
to 
the 
call 
gate 
CALL_GA TE_FOO, 
and the call 
gate 
actually 
provides 
the 
new 


contents 
of CS and IP to specify 


the 
address 
of 
the 
next 
instructions. 


Indirect 
JMP 
outside 
the current 
code 
segment to a call gate. If the selector 
speci- 
fied by the instruction 
refers 
to a call gate, 


the processor ignores the offset in the double- 
word 
and 
takes 
the 
address 
of the 
routine 
being entered 
from 
the call gate. 
The JMP 
instruction 
uses the same format 
to indirectly 


specify a task gate or a task state segment. 


The 
instruction 
refers 
to 
the 
double-word 
in 
the 
array 
of 


pointers 
called 
CASE_TABLE. 


The specific 
double-word 
chosen 
depends on the value in BX when 
the 
instruction 
executes. 
The 
selector 
portion 
of this 
double- 
word selects 
a call gate, 
and the 
processor 
takes the address 
of the 
routine 
being 
entered 
from 
the 
call gate. 


\.-/iLL 
r \.-au rroceaureJ 
actIvates 
an out-of- 
line procedure, 
saving on the stack the address 
of the 
instruction 
following 
the 
CALL 
for 
later use by a RET (Return) 
instruction. 
An 
intrasegment 
CALL 
places the current 
value 
of IP on the stack. 
An intersegment 
CALL 
places 
both the value of IP and CS on the 
stack. 
The 
RET 
instruction 
in the 
called 
procedure 
uses this address to transfer 
control 
back to the calling program. 


A long CALL instruction 
that invokes a task- 
switch 
stores 
the outgoing 
task's 
task 
state 
segment 
selector 
in the incoming 
task 
state 
segment's 
link field and sets the nested 
task 
flag in the new task. In this case, the IRET 
instruction 
takes 
the 
place 
of 
the 
RET 
instruction 
to return control to the nested task. 


CALL 
NEAILNEWCODE 
CALL 
SI 
CALLPTILX 
CALL 
CASE_TABLE 
[BP] 
CALL 
FAR_NEWCODE_FOO 
CALL 
NEWCODE 
CALL 
CALL_GATE_FOO 
CALL 
CASE_TABLE 
[BX] 


See 
the 
previous 
treatment 
of JMP 
for 
a 
discussion 
of 
the 
operations 
of 
these 
instructions. 


3.6.1.3 
RETURN AND RETURN FROM INTERRUPT 
INSTRUCTION 


RET 
(Return From Procedure) 
terminates 
the 
execution of a procedure 
and transfers 
control 
through 
a back-link 
on the 
stack 
to the 
program 
that 
originally 
invoked 
the 
procedure. 


An intrasegment 
RET 
restores 
the value 
of 
IP that was saved on the stack by the previous 


segment 
RET 
restores 
the values of both CS 
and IP which were saved on the stack by the 
previous intersegment 
CALL 
instruction. 


RET 
instructions 
may 
optionally 
specify 
a 
constant 
to the stack 
pointer. 
This constant 
specifies 
the new top of stack 
to effectively 
remove 
any 
arguments 
that 
the 
calling 
program 
pushed 
on the 
stack 
before 
the 
execution 
of the CALL 
instruction. 


Example: 
RET 


If the previous CALL 
instruction 
did not transfer 
control 
to a new 
code segment, 
RET 
restores 
the 
value of IP pushed 
by the CALL 
instruction. 
If the previous CALL 
instruction 
transferred 
control 
to 
a new segment, 
RET 
restores 
the 
values of both 
IP and CS which 
were pushed 
on the stack by the 
CALL 
instruction. 


Example: 
RET n 


This form of the RET instruction 
performs 
identically 
to the above 
example 
except 
that 
it adds 
n 
(must 
be an even value) 
to the 
value of SP to eliminate 
8 bytes 
of parameter 
information 
previ- 
ously 
pushed 
by 
the 
calling 
program. 


IRET 
(Return 
From 
Interrupt 
or Nested 
Task) 
returns 
control 
to 
an 
interrupted 
routine or, optionally, 
reverses the action of a 
CALL 
or INT instruction 
that caused 
a task 
switch. See Chapter 
8 for further 
information 
on task switching. 


Example: 
IRET 


Returns 
from an interrupt 
with or 
without a task-switch 
based on the 
value of the NT bit. 


3.6.2 
Conditional 
Transfer 
Instructions 


The 
conditional 
transfer 
instructions 
are 
jumps 
that mayor 
may not transfer 
control, 
depending 
on the state of the epu flags when 
the 
instruction 
executes. 
The 
target 
for all 
conditional 
jumps must be in the current 
code 
segment 
and within 
- 128 to + 127 bytes of 
the first byte of the next instruction. 


3.6.2.1 CONDITIONALJUMP INSTRUCTIONS 


Table 
3-3 shows 
the 
conditional 
transfer 
mnemonics 
and 
their 
interpretations. 
The 
conditional 
jumps 
that are listed as pairs are 


actually 
the same instruction. 
The instruction 
set provides 
the 
alternate 
mnemonics 
for 
greater 
clarity within a program 
listing. 


3.6.2.2 LOOPINSTRUCTIONS 


The loop instructions 
are conditional 
jumps 
that use a value placed 
in ex to specify the 


number 
of repetitions 
of a software 
loop. All 
loop instructions 
automatically 
decrement ex 
and terminate 
the loop when ex=o. Four of 
the five loop instructions 
specify a condition 
of ZF 
that 
terminates 
the 
loop before ex 
decrements 
to zero. 


LOOP (Loop While ex Not Zero) is a condi-· 
tional transfer 
that 
auto-decrements 
the ex 
register 
before 
testing 
ex 
for 
the 
branch 
condition. 
If ex 
is non-zero, 
the 
program 
branches 
to the target 
label specified 
in the 
instruction. 
The LOOP 
instruction 
causes the 
repetition 
of a code section 
until 
the opera- 
tion of the LOOP 
instruction 
decrements 
ex 
to a value of zero. 
If LOOP 
finds ex=o, 
control 
transfers 
to the instruction 
immedi- 
ately following the LOOP 
instruction. 
If the 
value of ex is initially 
zero, then the LOOP 
executes 65536 times. 


--;;- 
Unsigned Conditional Transfers 


Mnemonic 
Condition Tested 
"Jump If... " 


JA/JNBE 
(CF or ZF) = 0 
above/not below nor equal 
JAE/JNB 
CF = 0 
above or equal/not below 
JB/JNAE 
CF = 1 
below/not above nor equal 
JBE/JNA 
(CF or ZF) = 1 
below or equal/not above 
JC 
CF = 1 
carry 
JE/JZ 
ZF = 1 
equal/zero 
JNC 
CF = 0 
not carry 
JNE/JNZ 
ZF = 0 
not equal/not zero 
JNP/JPO 
PF = 0 
not parity/parity odd 
JP/JPE 
PF = 1 
parity/parity even 


Signed Conditional Transfers 


Mnemonic 
Condition Tested 
"Jump If... " 


JG/JNLE 
«SF xor OF) or ZF) = 0 
greater/not less nor equal 
JGE/JNL 
(SF xor OF) = 0 
greater or equal/not less 
JL/JNGE 
(SF xor OF) = 0 
less/not greater nor equal 
JLE/JNG 
«SF xor OF) or ZF) = 1 
less or equal/not greater 
JNO 
OF = 0 
not overflow 
JNS 
SF = 0 
not sign 
JO 
OF = 1 
overflow 
JS 
SF = 1 
sign 


Each time the program encoun- 
ters 
this 
instruction, 
it 
decre- 


ments ex 
and then tests it. If the 


value of ex 
is non-zero, then the 


program branches to the instruc- 
tion labeled START_LOOP. 
If 


the value in ex 
is zero, then the 


program 
continues 
with 
the 


instruction that followsthe LOOP 
instruction. 


LOOPE (Loop While Equal) 
and LOOPZ 


(Loop While Zero) are physically the same 
instruction. 
These instructions 
auto-decre- 


ment the ex 
register before testing ex 
and 
ZF for the branch conditions. If ex 
is non- 
zero and ZF = I, the program branches to the 
target label specified in the instruction. 
If 
LOOPE or LOOPZ 
finds that 
ex=o 
or 
ZF = 0, control transfers 
to the instruction 
immediately 
succeeding 
the 
LOOPE 
or 
LOOPZ instruction. 


Example: 
LOOPE 
START_LOOP 
(or 


LOOPZ START_LOOP) 


Each time the program encoun- 
ters 
this 
instruction, 
it 
decre- 


ments ex 
and tests ex 
and ZF. 
If the value in ex 
is non-zero and 


the value of ZF is I, the program 
branches to the instruction labeled 
START_LOOP. 
If ex=o 
or 


ZF=O, 
the program 
continues 


with the instruction that follows 
the 
LOOPE 
(or 
LOOPZ) 


instruction. 


LOOPNE 
(Loop 
While 
Not 
Equal) 
and 
LOOPNZ (Loop While Not Zero) are physi- 
cally the same instruction. These instructions 
auto-decrement the ex 
register before testing 
ex 
and ZF for the branch conditions. If ex 


is non-zero and ZF=O, the program branches 
to the target label specified in the instruction. 
If LOOPNE or LOOPNZ finds that ex=o 
or ZF = I, control transfers to the instruction 
immediately 
succeeding 
the LOOPNE 
or 
LOOPNZ instruction. 


Example: 
LOOPNE 
START_LOOP 
(or 
LOOPNZ START_LOOP) 


Each time the program encoun- 
ters 
this 
instruction, 
it 
decre- 
ments ex 
and tests ex 
and ZF. 
If the value of ex 
is non-zero and 
the value of ZF is 0, the program 
branches to the instruction labeled 
START_LOOP. 
If ex=o 
or 
ZF = I, the program 
continues 
with the instruction that follows 
the LOOPNE 
(or 
LOOPNZ) 
instruction. 


3.6.2.3 
EXECUTING A LOOP OR REPEAT 
ZERO TIMES 
JCXZ 
(Jump if CX Zero) branches to the 
label specified in the instruction if it finds a 
value of zero in ex. 
Sometimes, it is desira- 
ble to design a loop that executes zero times 
if the count variable in ex 
is initialized to 
zero. Because the loop instructions 
(and 
repeat prefixes) decrement ex 
before they 


test it, a loop will execute 65536 times if the 
program enters the loop with a zero value in 
ex. 
A 
programmer 
may 
conveniently 


overcome this problem with JeXZ, 
which 
enables the program to branch around the 
code within the loop if ex is zero when JeXZ 
executes. 


Example: 
JeXZ TARGETLABEL 


Causes the program 
to branch 
to 
the 
instruction 
labeled 
TARGETLABEL if ex =0 when 
the instruction executes. 


3.6.3 
Software-Generated 
Interrupts 


The INT and INTO instructions allow the 
programmer to specify a transfer to an inter- 
rupt service routine from within a program. 


3.6.3.1 
SOFTWARE INTERRUPT INSTRUCTION 


INT 
(Software 
Interrupt) 
activates the inter- 


rupt service routine that corresponds to the 
number coded within the instruction. Inter- 
rupt type 3 is reserved for internal software- 
generated 
interrupts. 
However, 
the INT 


instruction may specify any interrupt type to 
allow multiple types of internal interrupts or 
to test the operation of a service routine. The 
interrupt service routine terminates with an 
IRET instruction that returns control to the 
instruction that follows INT. 


Example: 
INT 3 


Transfers control to the interrupt 
service routine specified by a type 
3 interrupt. 


Example: 
INT 0 


Transfers control to the interrupt 
service routine specified by a type 
o interrupt, which is reserved for 
a divide error. 


INTO 
(Interrupt 
on Overflow) invokes a type 
4 interrupt 
if OF is set when the INTO 


instruction executes. The type 4 interrupt is 
reserved for this purpose. 


Example: 
INTO 


If the result of a previous opera- 
tion has set OF and no interven- 
ing operation has reset OF, then 
INTO invokes a type 4 interrupt. 
The 
interrupt 
service 
routine 
terminates with an IRET instruc- 
tion, which returns control to the 
instruction following INTO. 


3.7 CHARACTER TRANSLATION AND 
STRING INSTRUCTIONS 


The instructions in this category operate on 
characters or string elements rather than on 
logical or numeric values. 


3.7.1 
Translate Instruction 


XLAT 
(Translate) 
replaces a byte in the AL 
register with a byte from a user-coded trans- 
lation table. When XLA T is executed, AL 
should have the unsigned index to the table 
addressed by BX. XLAT changes the contents 
of AL from table index to table entry. BX is 
unchanged. The XLA T instruction is useful 
for translating 
from one coding system to 
another such as from ASCII to EBCDIC. The 
translate table may be up to 256 bytes long. 
The value placed in the AL register serves as 
an index to the location of the corresponding 
translation value. Used with a LOOP instruc- 
tion, the XLAT instruction can translate 
a 
block of codes up to 64K bytes long. 


Example: 
XLA T 


Replaces the byte in AL with the 
byte from the translate table that 
is selected by the value in AL. 


3.7.2 
String Manipulation Instructions and 
Repeat Prefixes 


The string instructions 
(also called primi- 
tives) operate on string elements to move, 
compare, and scan byte or word strings. One- 
byte repeat prefixes can cause the operation 
of a string primitive to be repeated to process 
strings as long as 64K bytes. 


The repeated string primitives use the direc- 
tion flag, DF, to specify left-to-right or right- 
to-left string processing, and use a count in 
CX to limit the processing operation. These 
instructions use the register pair DS:SI to 
point to the source string element and the 
register 
pair 
ES:DI 
to 
point 
to 
the 
destination. 


string 
primItive, 
depending 
on whether 
it is 


operating 
on byte strings or word strings. The 


string primitives 
are generic 
and require 
one 


or more operands 
along with the primitive 
to 


determine 
the size of the string elements being 


processed. 
These operands 
do not determine 


the 
addresses 
of the 
strings; 
the 
addresses 


must 
already 
be present 
in the 
appropriate 


registers. 


Each repetition 
of a string operation 
using the 


Repeat 
prefixes includes the following steps: 


1. 
Acknowledge 
pending 
interrupts. 


2. 
Check CX for zero and stop repeating 
if 


CX is zero. 


3. 
Perform 
the string operation 
once. 


4. 
Adjust the memory pointers in DS:SI and 
ES:DI 
by incrementing 
SI and DI if DF 


is 0 or by decrementing 
SI and DI if DF 


is 1. 


5. 
Decrement 
CX (this step does not affect 


the flags). 


6. 
For 
SCAS 
(Scan 
String) 
and 
CMPS 


(Compare 
String), 
check ZF for a match 


with 
the 
repeat 
condition 
and 
stop 


repeating 
if the ZF fails to match. 


The 
Load 
String 
and 
Store 
String 
instruc- 


tions allow a program 
to perform 
arithmetic 


or logical 
operations 
on string 
characters 


(using AX for word strings 
and AL for byte 


strings). 
Repeated 
operations 
that 
include 


instructions 
other than string primitives 
must 
use the loop instructions 
rather 
than a repeat 


prefix. 


3.7.2.1 
STRING MOVEMENT 
INSTRUCTIONS 
REP (Repeat While ex Not Zero) specifies 
a repeated operation 
of a string primitive. 
The 
REP prefix causes the hardware 
to automat- 


ically repeat 
the 
associated 
string 
primitive 


until CX = O. This form of iteration 
allows the 


- 
would 
be possible 
with 
a regular 
software 


loop. 


When the REP prefix accompanies 
a MaYS 


instruction, 
it operates 
as a memory-to- 
memory 
block 
transfer. 
To set up for this 


operation, the program must initialize CX and 
the 
register 
pairs 
DS:SI 
and 
ES:DI. 
CX 


specifies the number 
of bytes or words in the 
block. 


If DF=O, 
the program 
must point DS:SI 
to 


the first element of the source string and point 
ES:DI to the destination 
address 
for the first 


element. 
If DF= 
1, the program 
must 
point 
these two register 
pairs to the last element 
of 


the 
source 
string 
and 
to the 
destination 


address for the last element, 
respectively. 


The processor 
checks the value in 
CX for zero. If this value is not 
zero, the processor 
moves a word 
from 
the 
location 
pointed 
to by 


DS:SI 
to the location 
pointed 
to 


by ES:DI 
and increments 
SI and 
DI by two (if DF=O). 
Next, 
the 


processor 
decrements 
CX by one 
and 
returns 
to the 
beginning 
of 


the 
repeat 
cycle 
to check 
CX 


again. 
After 
CX 
decrements 
to 


zero, 
the 
processor 
executes 
the 


instruction 
that follows. 


MOVS 
(Move 
String) 
moves 
the 
string 


character 
pointed to by the combination 
of DS 
and 
SI 
to the 
location 
pointed 
to by 
the 


combination 
of ES and DI. This is the only 


memory-to-memory 
transfer 
supported 
by the 


instruction 
set 
of the 
base 
architecture. 


MaYSB 
operates 
on byte 
elements. 
The 


destination 
segment 
register 
cannot 
be 


overridden 
by a segment override prefix while 


the 
source 
segment 
register 
can 
be 


overridden. 


Example: 
MOVSW 


Moves 
the 
contents 
of 
the 
memory byte pointed to by DS:SI 
to 
the 
location 
pointed 
to 
by 


ES:DI. 


3.7.2.2 
OTHER STRING OPERATIONS 


CMPS (Compare String) subtracts 
the desti- 
nation string element (ES:DI) 
from the source 


string element 
(DS:SI) 
and updates 
the flags 


AF, 
SF, 
PF, 
CF 
and 
OF. 
If 
the 
string 


elements are equal, ZF= 
1; otherwise, 
ZF=O. 


If 
DF=O, 
the 
processor 
increments 
the 


memory 
pointers 
(SI 
and 
DI) 
for the 
two 


strings. 
The 
segment 
register 
used 
for 
the 


source address can be changed with a segment 
override prefix while the destination 
segment 


register 
cannot 
be overridden. 


Example: 
CMPSB 


Compares 
the source 
and 
desti- 
nation 
string 
elements 
with each 
other and returns 
the result of the 
comparison 
to ZF. 


SCAS (Scan String) subtracts 
the destination 


string element 
at ES:DI 
from AX or AL and 
updates 
the flags AF, SF, ZF, 
PF, CF and 
OF. 
If the values 
are equal, 
ZF= 
1; other- 


wise, ZF=O. 
If DF=O, 
the processor 
incre- 
ments the memory pointer (DI) for the string. 
The 
segment 
register 
used 
for the 
source 
address 
can 
be changed 
with 
a segment 
override 
prefix while the destination 
segment 
register cannot 
be overridden. 


Example: 
SCASW 


Compares 
the value 
in AX with 
the destination 
string element. 


REPE/REPZ 
(Repeat While CX Equal/Zero) 
and REPNE/REPNZ 
(Repeat While CX Not 
Equal/Not 
Zero) are 
the 
prefixes 
that 
are 
used 
exclusively 
with 
the 
SCAS 
(Scan 
String) 
and 
CMPS 
(Compare 
String) 
primitives. 


The 
difference 
between 
these 
two types 
of 
prefix bytes is that REPE/REPZ 
terminates 
when 
ZF=O 
and 
REPNE/REPNZ 
termi- 
nates 
when 
ZF= 
1. ZF 
does 
not 
require 
initialization 
before 
execution 
of a repeated 
string instruction. 


When these prefixes modify either the SCAS 
or CMPS 
primitives, 
the processor 
compares 
the value of the current 
string 
element 
with 
the value in AX for word elements 
or with 
the 
value 
in AL 
for 
byte 
elements. 
The 
resulting 
state 
of ZF 
can 
then 
limit 
the 
operation 
of the repeated 
operation 
as well as 
a zero value in CX. 


Example: 
REPE 
SCASB 


Causes 
the processor 
to scan the 
string 
pointed 
to by ES:DI 
until 
it encounters 
a match 
with 
the 
byte 
value 
in AL 
or 
until 
CX 
decrements 
to zero. 


LODS (Load String) places the source string 
element at DS:SI into AX for word strings or 
into AL for byte strings. 


Example: 
LODSW 


Loads AX with the value pointed 
to by DS:SI. 


3.8 
ADDRESS 
MANIPULATION 
INSTRUCTIONS 


The set of address 
manipulation 
instructions 


provide 
a way to perform 
address 
calcula- 
tions or to move to a new data 
segment 
or 
extra segment. 


LEA (Load Effective Address) transfers 
the 
offset of the source operand 
(rather 
than 
its 


value) to the destination 
operand. 
The source 
operand 
must be a memory 
operand, 
and the 
destination 
operand 
must be a 16-bit general 
register 
(AX, 
DX, 
BX, 
CX, 
BP, 
SP, 
SI, 
or DI). 


LEA does not affect 
any flags. This instruc- 
tion is useful 
for initializing 
the 
registers 
before the execution 
of the string 
primitives 
or the XLA T instruction. 


Example: 
LEA BX EBCDIC_TABLE 


Causes 
the 
processor 
to 
place 


the 
address 
of 
the 
starting 


location 
of 
the 
table 
labeled 


EBCDIC_TABLE 
into BX. 


LDS (Load Pointer Using DS) transfers 
a 
32-bit 
pointer 
variable 
from 
the 
source 
operand 
to DS and the destination 
register. 


The 
source 
operand 
must 
be 
a memory 
operand, 
and the destination 
operand 
must be 
a 16-bit general 
register 
(AX, DX, BX, CX, 


BP, SP, SI or DI). DS receives the high-order 
segment 
word of the pointer. 
The destination 
register 
receives 
the 
low-order 
word, 
which 
points 
to 
a specific 
location 
within 
the 


segment. 


Example: 
LDS SI, STRING-.X 


Loads 
DS with the word identi- 


fying the segment 
pointed 
to by 


STRING-.X, 
and loads the offset 


of STRING-.X 
into SI. Specify- 


ing SI as the destination 
operand 


is a convenient 
way to prepare 
for 


a string 
operation 
on a source 


string 
that 
is not in the current 


data segment. 


LES 
(Load Pointer 
Using ES) 
operates 
identically to LDS except that ES receives the 
offset word rather 
than DS. 


Example: 
LES DI, DESTINA 
TION-.X 


Loads 
ES with the word 
identi- 


fying the segment 
pointed 
to by 


DESTINATION_X, 
and 
loads 


the offset of DESTINATION-.X 
into DI. This instruction 
provides 


a convenient 
way 
to 
select 
a 


destination 
for a string 
operation 
if the desired location is not in the 
current 
extra segment. 


3.9 
FLAG CONTROL 
INSTRUCTIONS 


The flag control instructions 
provide a method 
of changing 
the 
state 
of bits 
in 
the 
flag 
register. 


3.9.1 
Carry Flag Control 
Instructions 


The 
carry 
flag 
instructions 
are 
useful 
in 
conjunction 
with 
rotate-with-carry 
instruc- 
tions RCL and RCR. 
They can initialize 
the 
carry 
flag, 
CF, 
to a known 
state 
before 
execution 
of a rotate that moves the carry bit 
into one end of the rotated 
operand. 


STC (Set Carry Flag) sets the carry flag (CF) 
to 1. 


CLC (Clear Carry Flag) zeros the carry 
flag 
(CF). 


CMC (Complement Carry Flag) reverses 
the 
current 
status of the carry flag (CF). 


3.9.2 
Direction 
Flag Control Instructions 


The 
direction 
flag 
control 
instructions 
are 


specifically 
included 
to set or clear the direc- 
tion flag, DF, which controls 
the left-to-right 


or right-to-Ieft 
direction 
of string 
processing. 


IF DF=O, 
the processor 
automatically 
incre- 
ments the string memory 
pointers, 
SI and DI, 


after each execution 
of a string 
primitive. 
If 
D F = 1, the 
processor 
decrements 
these 
pointer values. The initial state of DF is O. 


BASIC INSTRUCTION 
SET 


CLD (Clear Direction Flag) zeros OF, causing 
the string 
instructions 
to auto-increment 
SI 


and/or 
DJ. CLO 
does not affect 
any other 


flags. 


STD 
(Set 
Direction 
Flag) 
sets 
OF 
to 
1, 
causing 
the string instructions 
to auto-decre- 


ment SI and/or 
OJ. STO does not affect any 


other flags. 


3.9.3 
Flag Transfer 
Instructions 


Though specific instructions 
exist to alter CF 


and OF, there is no direct method 
of altering 


the other flags. The flag transfer 
instructions 
allow a program 
to alter 
the other 
flag bits 
with the bit manipulation 
instructions 
after 


transferring 
these flags to the stack or the AH 


register. 


The PUSHF 
and POPF 
instructions 
are also 
useful 
for preserving 
the 
state 
of the 
flag 


register before executing 
a procedure. 


LAHF 
(Load AH from 
Flags) copies SF, ZF, 
AF, PF, and CF to AH bits 7, 6, 4, 2, and 0, 
respectively (see figure 3-12). The contents 
of 


the remaining 
bits (5, 3, and I) are undefined. 


The flags remain 
unaffected. 
This instruction 


can assist in converting 
8080/8085 
assembly 
language 
programs 
to run on the base archi- 


tecture 
of 
the 
iAPX 
86, 
88, 
186, 
and 286. 


SAHF 
(Store AH into Flags) transfers 
bits 7, 
6,4, 
2, and 0 from AH into SF, ZF, AF, PF, 
and CF, respectively 
(see figure 
3-12). 
This 


instruction 
also provides 8080/8085 
compat- 


ibility with the iAPX 86, 88, 186, and 286. 


LAHF loads live Ilags Irom the lIag register 
Into register 
AH. SAHF 
stores 
these same live Ilags Irom AH Into the Ilag register. 
The 
bit position 
01 each Ilag 
Is the same In AH as It Is In the Ilag 
register. 
The remaining 
bits are indeterminate. 


PUSHF 
(Push Flags) decrements 
SP by two 
and then transfers 
all flags to the word at the 


top of stack 
pointed 
to by SP 
(see 
figure 


3-13). 
The 
flags 
remain 
unaffected. 
This 


instruction 
enables 
a procedure 
to save the 
state of the flag register 
for later use. 


POPF (Pop Flags) transfers 
specific bits from 


the word at the top of stack into the low-order 
byte of the flag register (see figure 3-13). The 
processor then increments 
SP by two. 


Note 
that 
an application 
program 
in the 


protected 
virtual 
address 
mode may not alter 
10PL (the I/O 
privilege level flag) unless the 


program 
is executing 
at privilege 
level O. A 


program may alter IF (the interrupt 
flag) only 


when executing 
at a level that 
is at least 
as 


privileged as IOPL. 


Procedures 
may use this instruction 
to restore 


the flag status from a previous value. 


3.10 
BINARY -CODED 
DECIMAL 


ARITHMETIC 
INSTRUCTIONS 


These 
instructions 
adjust 
the 
results 
of a 


previous 
arithmetic 
operation 
to produce 
a 
valid 
packed 
or unpacked 
decimal 
result. 


These instructions 
operate 
only on AL or AH 


registers. 


PUSHF decrementa 
SP by 2 byte a (1 word) 
and coplea 
the contenta 
of the flag 
reg later to the top of atack. 
POPF loada the flag reglater 


with the contenta 
of the laat word 
puahed 
onto 
the atack. 
The bit poaltlon 
of each flag la the aame In the atack 
word 
aa It la In the flag 


reg later. Only programa 
•• ecutlng 
at the hlgheat 
prl.llege 
le.el 
(Ie.el 
0) may alter the 2·blt IOPL flag. Only programa 
e.ecutlng 
at a le.e' 
at 


le.at 
aa prl.lleged 
aa that Indicated 
by IOPL may alter IF. 


3.10.1 
Packed BCD Adjustment 
Instructions 


DAA (Decimal Adjust) corrects 
the result of 


adding two valid packed decimal 
operands 
in 


AL. DAA must always follow the addition 
of 
two pairs 
of packed 
decimal 
numbers 
(one 
digit in each nibble) 
to obtain 
a pair of valid 


packed 
decimal 
digits 
as results. 
The carry 
flag will be set if carry was needed. 


DAS 
(Decimal 
Adjust 
for 
Subtraction) 


corrects 
the result 
of subtracting 
two valid 


packed 
decimal 
operands 
in AL. DAS 
must 


always follow the subtraction 
of one pair of 


packed 
decimal 
numbers 
(one digit 
in each 


nibble) from another 
to obtain 
a pair of valid 


packed 
decimal 
digits 
as results. 
The carry 
flag will be set if a borrow was needed. 


3.10.2 
Unpacked BCD Adjustment 
Instructions 


AAA 
(ASCII Adjust for Addition) 
changes 
the 
contents 
of 
register 
AL 
to 
a 
valid 


unpacked 
decimal 
number, 
and zeros the top 


4 bits. AAA must always follow the addition 
of two unpacked 
decimal operands 
in AL. The 


carry flag will be set and AH will be incre- 
mented if a carry was necessary. 


AAS (ASCII Adjust for Subtraction) changes 
the 
contents 
of 
register 
AL 
to 
a 
valid 
unpacked 
decimal 
number, 
and zeros the top 
4 bits. AAS must always follow the subtrac- 
tion of one unpacked 
decimal 
operand 
from 
another 
in AL. The carry flag will be set and 
AH decremented 
if a borrow was necessary. 


AAM 
(ASCII 
Adjust 
for Multiplication) 


corrects 
the result of a multiplication 
of two 


valid unpacked 
decimal numbers. 
AAM must 
always 
follow 
the 
multiplication 
of 
two 
decimal 
numbers 
to produce 
a valid decimal 
result. The high order digit will be left in AH, 
the low order digit in AL. 


AAD (ASCII Adjust for Division) modifies 
the numerator 
in AH and AL to prepare 
for 


the division 
of two valid unpacked 
decimal 
operands so that the quotient 
produced 
by the 
division 
will be 
a valid 
unpacked 
decimal 
number. 
AH 
should 
contain 
the 
high-order 
digit 
and 
AL 
the 
low-order 
digit. 
This 


instruction 
will adjust 
the value and leave it 


in AL. AH will contain o. 


3.11 
TRUSTED INSTRUCTIONS 


When operating 
in Protected 
Mode, the iAPX 
286 processor restricts the execution of trusted 
instructions 
according 
to the 
CPL 
and 
the 
current 
value of IOPL, 
the 2-bit 
I/O 
privi- 
lege flag. Only 
a program 
operating 
at the 
highest privilege level (level 0) may alter the 
value 
of 10PL. 
A program 
may 
execute 
trusted 
instructions 
only when executing 
at a 
level that 
is at 
least 
as privileged 
as that 
specified by IOPL. 


Trusted 
instructions 
control 
I/O 
operations, 
interprocessor 
communications 
in a multipro- 
cessor 
system, 
interrupt 
enabling, 
and 
the 
HLT instruction. 


These protection 
considerations 
do not apply 
in the real address 
mode. 


3.11.1 
Trusted and Privileged Restrictions 
on POPF and IRET 


POPF 
(POP Flags) 
and 
IRET 
(Interrupt 
Return) 
are not affected 
by 10PL 
unless they 
attempt 
to alter 
IF (flag 
register 
bit 9). To 
change IF, POPF 
must be part of a program 
that 
is executing 
at a privilege 
level greater 
than or equal to that specified by 10PL. 
Any 
attempt 
to change 
IF when CPL 
± 0 will be 
ignored. To change the 10PL field, CPL must 
be zero. 


3.11.2 
Machine State Instructions 


These trusted 
instructions 
affect the machine 
state control interrupt 
response, 
the processor 
halt 
state, 
and 
the 
bus 
LOCK 
signal 
that 
regulates 
memory 
access 
in multiprocessor 
systems. 


CLl (Clear Interrupt-Enable 
Flag) and STI 
(Set Interrupt-Enable 
Flag) alter bit 9 in the 
flag 
register. 
When 
IF = 0, the 
processor 
responds 
only 
to internal 
interrupts 
and 
to 
non-maskable 
external 
interrupts. 
When 


IF = I, the 
processor 
responds 
to all inter- 
rupts. An interrupt 
service routine 
might 
use 
these instructions 
to avoid further 
interrup- 
tion while it processes 
a previous 
interrupt 
request. 
As with 
the 
other 
flag 
bits, 
the 
processor clears IF during initialization. 
These 
instructions 
may be executed 
only if CPL 
~ 
10PL. 
A protection 
exception 
will occur 
if 
they are executed 
when CPL > 10PL. 


Example: 
STI 


Sets 
IF = I, which 
enables 
the 
processing 
of maskable 
external 
interrupts. 


Example: 
CLI 


Sets 
IF=O 
to disable 
maskable 
interrupt 
processing. 


HLT 
(Halt) 
causes the processor 
to suspend 
processing operations 
pending 
an interrupt 
or 
a system 
reset. 
This 
trusted 
instruction 
provides an alternative 
to an endless software 
loop in situations 
where a program 
must wait 
for an interrupt. 
The 
return 
address 
saved 
after 
the interrupt 
will point to the instruc- 
tion 
immediately 
following 
HL T. 
This 
instruction 
may 
be 
executed 
only 
when 
CPL 
= O. 


LOCK 
(Assert 
Bus Lock) 
is a I-byte 
prefix 
code that 
causes 
the processor 
to assert 
the 
bus 
LOCK 
signal 
during 
execution 
of the 
instruction 
that follows. LOCK does not affect 
any flags. LOCK may be used only when CPL 
~ IOPL. A protection 
exception 
will occur if 
LOCK is used when CPL > 10PL. 


3.11.3 
Input and Output Instructions 


These 
trusted 
instructions 
provide 
access 
to 
the processor's 
I/O 
ports to transfer 
data 
to 
and from peripheral 
devices. In the protected 


mode, these instructions 
may be executed only 


when CPL ~ 
IOPL. 


IN (Input from Port) transfers 
a byte 
or a 


word from an input port to AL or AX. If a 
program 
specifies 
AL 
with 
the 
IN 
instruc- 


tion, the processor 
transfers 
8 bits from 
the 


selected port to AL. Alternately, 
if a program 


specifies 
AX 
with 
the 
IN 
instruction, 
the 


processor 
transfers 
16 bits 
from 
the 
port 


to AX. 


The program 
can specify the number 
of the 


port in two ways. Using 
an immediate 
byte 


constant, 
the program 
can specify 
256 8-bit 


ports numbered 
0 through 
255 or 128 16-bit 


ports 
numbered 
0,2,4, ...,252,254. 
Using 
the 


current 
value contained 
in DX, the program 


can specify 
8-bit ports numbered 
0 through 


65,535, or 16-bit ports using even-numbered 
ports in the same range. 


Example: 
IN AL, 
BYTE-llORT_NUMBER 


Transfers 
8 
bits 
to 
AL 


from 
the 
port 
identified 


by 
the 
immediate 
constant 


BYTE-llOR 
T_NUMBER. 


OUT (Output to Port) transfers 
a byte or a 
word to an output 
port from AL or AX. The 


program 
can specify the number 
of the port 
using the same 
methods 
of the 
IN 
instruc- 


tion. 


Example: 
OUT AX, DX 


Transfers 
16 bits from AX to the 


port 
identified 
by 
the 
16- bit 


number 
contained 
in DX. 


INS 
and OUTS (Input String and Output 


String) cause 
block 
input 
or output 
opera- 


tions using a Repeat 
prefix. See Chapter 
4 for 


more information 
on INS and OUTS. 


3.12 
PROCESSOR EXTENSION 
INSTRUCTIONS 


Processor 
Extension 
provides 
an extension 
to 
the 
instruction 
set of the 
base 
architecture 
(e.g., 80287). 
The NPX 
extends 
the instruc- 
tion 
set of the 
CPU-based 
architecture 
to 
support 
high-precision 
integer 
and 
floating- 
point calculations. 
This extended 
instruction 
set 
includes 
arithmetic, 
comparison, 


transcendental, 
and 
data 
transfer 
instruc- 
tions. The NPX 
also contains 
a set of useful 
constants 
to enhance 
the 
speed 
of numeric 


calculations. 


A program 
contains 
instructions 
for the NPX 


in line with the instructions 
for the CPU. The 


system executes these instructions 
in the same 


order as they appear in the instruction 
stream. 


The 
NPX 
operates 
concurrently 
with 
the 


CPU 
to provide 
maximum 
throughput 
for 


numeric 
calculations. 


The software 
emulation 
of the NPX 
is trans- 


parent 
to application 
software 
but 
requires 


more time for execution. 


3.12.1 
Processor Extension 
Synchronization Instructions 


Escape and wait instructions 
allow a proces- 
sor extension 
such 
as the 
80287 
NPX 
to 


obtain 
instructions 
and data from the system 


bus and to wait for the NPX to return a result. 


Ese 
(Escape) 
identifies 
floating 
point 


numeric instructions 
and allows the iAPX 286 


to send the opcode to the NPX 
or to transfer 


a memory 
operand 
to the NPX. 
The 80287 


NPX uses the Escape instructions 
to perform 


high-performance, 
high-precision 
floating 


point arithmetic 
that 
conforms 
to the IEEE 


floating 
point standard. 


Example: 
ESC 6, ARRAY 
[SI] 


The CPU sends the escape opcode 
6 and 
the 
location 
of the 
array 


pointed to by SI to the NPX. 


WAfT 
(Wait) 
suspends 
program 
execution 
until the iAPX 
286 CPU detects 
a signal on 


the BUSY 
pin. In an iAPX 
286/20 
configu- 
ration 
that 
includes 
a numeric 
processor 
extension, 
the NPX 
activates 
the TEST 
pin 


to signal that it has completed 
its processing 


task and that the CPU may obtain the results. 


3.12.2 
Numeric Data Processor 
Instructions 


This 
section 
describes 
the 
categories 
of 
instructions 
available 
with 
Numeric 
Data 
Processor 
systems 
that 
include 
a Numeric 
Processor 
Extension 
or a software 
emulation 
of this processor extension. Refer to the 80287 
data sheet for more information. 


3.12.2.1 
ARITHMETIC 
INSTRUCTIONS 


The extended 
instruction 
set includes not only 
the four arithmetic 
operations 
(add, subtract, 


multiply, 
and 
divide), 
but 
also 
subtract- 
reversed and divide-reversed 
instructions. 
The 


arithmetic 
functions 
include 
square 
root, 


modulus, 
absolute 
value, integer part, change 


sign, 
scale 
exponent, 
and 
extract 
exponent 


instructions. 


3.12.2.2 
COMPARISON INSTRUCTIONS 


The comparison 
operations 
are the compare, 
examine, 
and test instructions. 
Special 
forms 
of the 
compare 
instruction 
can 
optimize 
algorithms 
by allowing comparisons 
of binary 
integers with real numbers 
in memory. 


3.12.2.3 
TRANSCENDENTAL 
INSTRUCTIONS 


The 
instructions 
in this 
group 
perform 
the 
otherwise 
time-consuming 
calculations 
for all 
common 
trigonometric, 
inverse 
trigonome- 
tric, hyperbolic, 
inverse hyperbolic, 
logarith- 
mic, 
and 
exponential 
functions. 
The 
transcendental 
instructions 
include 
tangent, 
arctangent, 
2 x -I, 
Y . log2X, and Y. log2 


(X+ I). 


3.12.2.4 
DATA TRANSFER INSTRUCTIONS 


The data transfer 
instructions 
move operands 
among 
the registers 
and between 
a register 
and memory. 
This group 
includes 
the load, 
store, and exchange 
instructions. 


3.12.2.5 
CONSTANT 
INSTRUCTIONS 


Each 
of the constant 
instructions 
loads 
a 
commonly 
used constant 
into an NPX 
regis- 
ter. The values have a real precision of 64 bits 
and are accurate 
to approximately 
19 decimal 
places. The constants 
loaded by these instruc- 
tions include 0, I, Pi, log. 10, log2 e, 10glO2, 
and log 2•. 
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CHAPTER 4 
EXTENDED INSTRUCTION SET 


The instructions 
described 
in this 
chapter 
extend 
the capabilities 
of the base architec- 
ture 
instruction 
set described 
in Chapter 
3. 
These extensions 
consist 
of new instructions 
and variations 
of some instructions 
that 
are 
not strictly 
part of the base architecture 
(in 
other words, not included in the iAPX 86, 88). 
These 
instructions 
are also available 
in the 


iAPX 
186, 
188. The 
instruction 
variations, 
described 
in Chapter 
3, include 
the immedi- 
ate forms 
of the PUSH 
and 
MUL 
instruc- 


tions (PUSH A, POPA) 
and the privilege level 
restrictions 
on POPF. 


New 
instructions 
described 
in this 
chapter 
include 
the string 
input 
and output 
instruc- 
tions (INS 
and OUTS), 
the ENTER 
proce- 
dure and LEAVE 
procedure 
instructions, 
and 
the check index BOUND 
instruction. 


4.1 
BLOCK I/O INSTRUCTIONS 


REP, 
the Repeat 
prefix, 
modifies 
INS 
and 
OUTS (the string I/O 
instructions) 
to provide 
a means 
of 
transferring 
blocks 
of 
data 
between 
an 
I/O 
port 
and 
Memory. 
These 
block I/O 
instructions 
are string 
primitives. 
They simplify programming 
and increase 
the 
speed of data transfer 
by eliminating 
the need 
to use a separate 
LOOP 
instruction 
or an 
intermediate 
register 
to hold the data. 


INS 
and OUTS 
are trusted 
instructions. 
To 
use trusted 
instructions, 
a program 
must 
execute 
at a privilege 
level at least as privi- 
leged as that specified by the 2-bit 10PL 
flag. 
Any attempt 
by a less-privileged 
program 
to 
use a trusted 
instruction 
results 
in a protec- 
tion exception. 
See Chapter 
7 for information 
on protection 
concepts. 


One of two possible opcodes 
represents 
each 
string 
primitive 
depending 
on whether 
it 


operates on byte strings or word strings. After 
each transfer, 
the memory 
address 
in SI or 
DI is updated 
by 1 for byte values and by 2 
for word values. 
The value 
in the 
DF field 
determines 
if SI or DI is to be auto 
incre- 
mented 
(DF=O) 
or 
auto 
decremented 
(DF= 
1). 


INS and OUTS 
use DX to specify I/O 
ports 
numbered 
0 through 
65,535 
or 16-bit 
ports 
using only even port 
addresses 
in the same 
range. 


INS (Input String from Port) transfers 
a byte 
or a word string 
element 
from an input 
port 
to memory. 
If a program 
specifies INSB, 
the 
processor 
transfers 
8 bits from 
the selected 
port 
to the 
memory 
location 
indicated 
by 
ES:DI. 
Alternately, 
if a program 
specifies 
INSW, 
the processor 
transfers 
16 bits from 
the port to the memory 
location 
indicated 
by 
ES:DI. 
The 
destination 
segment 
register 
cannot be overridden. 


Combined 
with the REP prefix, INS moves a 
block of information 
from an input port to a 
series of consecutive 
memory 
locations. 


Example: 
REP INSB 


The 
processor 
repeatedly 
trans- 
fers 8 bits to the memory 
location 
indicated 
by ES:DI 
from the port 
selected by the 16-bit port number 
contained 
in DX. Following 
each 
byte 
transfer, 
the 
CPU 
decre- 
ments CX. The instruction 
termi- 
nates 
the 
block 
transfer 
when 
CX=O. 
After 
decrementing 
CX, 
the 
processor 
increments 
DI 
by 
one if DF=O. 
It decrements 
DI 
by one if DF= 
1. 


OUTS (Output String to Port) transfers 
a 


byte or a word string 
element 
to an output 


port from memory. 
Combined 
with the REP 


prefix, 
OUTS 
moves a block of information 


from a series of consecutive 
memory 
locations 


indicated 
by DS:SI to an output 
port. 


Assuming 
that 
the 
program 


declares 
WSTRING 
to 
be 
a 


word-length 
string 
element, 
the 


assembler 
uses the l6-bit 
form of 


the 
OUTS 
instruction 
to create 


the object 
code for the program. 


The 
processor 
repeatedly 
trans- 


fers 
words 
from 
the 
memory 
locations 
indicated 
by DI to the 


output 
port selected 
by the 16-bit 


port number 
in DX. 


Following each word transfer, 
the 


CPU 
decrements 
CX. 
The 


instruction 
terminates 
the 
block 


transfer 
when 
CX =0. 
After 


decrementing 
CX, 
the 
processor 


increments 
SI by two to point to 


the 
next 
word 
in 
memory 
if 


DF=O, 
it decrements 
SI by two 
if DF= 
1. 


4.2 
HIGH-LEVEL INSTRUCTIONS 


The 
instructions 
in 
this 
section 
provide 


machine-language 
functions 
normally 
found 


only in high-level 
languages. 
These 
instruc- 


tions 
include 
ENTER 
and 
LEAVE, 
which 


simplify the programming 
of procedures, 
and 


BOUND, 
which provides a simple method 
of 


testing an index against 
its predefined 
range. 


ENTER 
(Enter Procedure) creates 
the stack 


frame required by most block-structured 
high- 


level languages. 
A LEAVE 
instruction 
at the 


end of a procedure 
complements 
an ENTER 


at the beginning 
of the procedure 
to simplify 
stack 
management 
and to control 
access 
to 


variables 
for nested procedures. 


The ENTER 
instruction 
includes two param- 
eters. 
The 
first 
parameter 
specifies 
the 
number 
of bytes 
of dynamic 
storage 
to be 


allocated 
on the stack 
for the routine 
being 
entered. The second parameter 
corresponds 
to 
the lexical nesting level of the routine. 
(Note 
that 
the lexical 
level has no relationship 
to 
either the protection 
privilege 
levels or to the 
I/O 
privilege level.) 


The 
specified 
lexical 
level 
determines 
how 


many sets of stack 
frame 
pointers 
the CPU 
copies 
into 
the 
new stack 
frame 
from 
the 
preceding 
frame. 
This 
list of stack 
frame 
pointers 
is sometimes 
called 
the 
"display." 


The first word of the display 
is a pointer 
to 
the last stack frame. 
This pointer 
enables 
a 
LEAVE 
instruction 
to reverse 
the action 
of 
the 
previous 
ENTER 
instruction 
by effec- 


tively discarding 
the last stack frame. 


After 
ENTER 
creates 
the new display 
for a 


procedure, 
it allocates 
the dynamic 
storage 


space for that procedure 
by decrementing 
SP 
by the number 
of bytes specified 
in the first 


parameter. 
This new value of SP serves as a 


base for all PUSH 
and POP operations 
within 
that procedure. 


To enable a procedure 
to address 
its display, 


ENTER 
leaves BP pointing 
to the beginning 
of the new stack 
frame. 
Data 
manipulation 
instructions 
that specify BP as a base register 
implicitly 
address 
locations 
within 
the stack 
segment 
instead 
of the 
data 
segment. 
Two 
forms of the ENTER 
instruction 
exist: nested 
and non-nested. 
If the lexical 
level is 0, the 
non-nested 
form 
is used. 
Since 
the 
second 
operand 
is 0, ENTER 
pushes 
BP, copies SP 
to BP and then 
subtracts 
the 
first 
operand 
from SP. The nested form of ENTER 
occurs 
when the second parameter 
(lexical 
level) is 


not O. Figure 
4-1 gives the formal 
definition 
of ENTER. 


The Formal 
Dellnltlon 
01 The ENTER Instruction 
For All Cases Is 
Given 
By The 
Following 
Ustlng. 
LEVEL 
Denotes 
The 
Value 
01 
The Second 
Operand. 


Push BP 
Set a temporsry 
value FRAMEJ'TR 
:- 
SP 
II LEVEL> 
0 then 
Repeat 
(LEVEL 
-1) 
tlm •• : 
BP:- 
BP-2 
Push the word 
pointed 
to by BP 
End repeat 
Push FRAMEJ'TR 
End II 
BP:- 
FRAMEJ'TR 
SP : - 
SP - 
Ilrst 
operand. 


Figure 4-1. 
FormBI Definition 
of the ENTER 
Instruction 


The main procedure (with other procedures 
nested within) operates at the highest lexical 
level, level 1. The first procedure 
it calls 
operates at the next deeper lexical level, level 
2. A level 2 procedure can access the varia- 
bles of the main program which are at fixed 
locations specified by the compiler. In the case 
of levell, 
ENTER 
allocates 
only 
the 
requested 
dynamic 
storage 
on the stack 
because there is no previous display to copy. 


A program operating at a higher lexical level 
calling a program at a lower lexical level 
requires that the called procedure should have 
access to the variables of the calling program. 
ENTER 
provides 
this 
access 
through 
a 
display that 
provides addressability 
to the 
calling program's stack frame. 


A procedure calling another procedure at the 
same lexical level implies that they are paral- 
lel procedures and that the called procedure 
should not have access to the variables of the 
calling procedure. In this case, ENTER copies 
only that portion of the display from the 
calling procedure which refers to previously 
nested procedures operating at higher lexical 
levels. The new stack frame does not include 
the pointer for addressing the calling proce- 
dure's stack frame. 


ENTER 
treats a reentrant 
procedure as a 
procedure calling another procedure at the 


same lexical level. In this case, each succeed- 
ing iteration of the reentrant procedure can 
address only its own variables and the varia- 
bles of the calling procedures at higher lexical 
levels. A reentrant 
procedure 
can always 
address its own variables; it does not require 
pointers to the stack 
frames 
of previous 
iterations. 


By copying only the stack frame pointers of 
procedures at higher lexical levels, ENTER 
makes sure that procedures access only those 
variables of higher lexical levels, not those at 
parallel lexical levels (see figure 4-2). Figures 
4-2a through 4-2d demonstrate the actions of 
the ENTER instruction if the modules shown 
in figure 4-1 were to call one another 
in 
alphabetic order. 


Example: 
ENTER 2048,3 


Allocates 2048 bytes of dynamic 
storage on the stack and sets up 
pointers 
to two previous 
stack 
frames in the stack frame that 
ENTER 
creates 
for 
this 
procedure. 


Block-structured high-level languages can use 
the lexical 
levels defined 
by ENTER 
to 
control access to the variables of previously 
nested 
procedures. 
For 
example, 
if 
PROCEDURE 
A calls PROCEDURE 
B 
which, in turn, calls PROCEDURE 
C, then 
PROCEDURE 
C will have access to the 
variables of MAIN and PROCEDURE 
A, 
but 
not PROCEDURE 
B because 
they 
operate at the same lexical level. Following is 
the complete definition of the variable access 
for figure 4-2. 


1. 
MAIN 
PROGRAM 
has variables 
at 
fixed locations. 


2. 
PROCEDURE 
A can access only the 
fixed variables of MAIN. 
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for MAIN but copies no pointers. The first 
and only word in the display points to itself 
because there is no previous value for LEAVE 
to return to BP. See figure 4-2a. 


PROCEDURE 
A (lEXICAL 
lEVEL 
2) 
I 
PROCEDURE 
B (lEXICAL 
lEVEL 
3) I 


PROCEDURE 
C (lEXICAL 
lEVel 
3) 
I PROCEDURE 
D (lEXICAL 
lEVEL 
4) I 


3. 
PROCEDURE 
B can access only the 


variables 
of 
PROCEDURE 
A 
and 


MAIN. PROCEDURE 
B cannot access 
the variables 
of PROCEDURE 
C or 


PROCEDURE 
D. 


4. 
PROCEDURE 
C can access only the 


variables 
of 
PROCEDURE 
A 
and 


MAIN. PROCEDURE 
C cannot access 


the variables 
of PROCEDURE 
B or 


PROCEDURE 
D. 


5. 
PROCEDURE 
D 
can 
access 
the 


variables 
of 
PROCEDURE 
C, 
PROCEDURE 
A, 
and 
MAIN. 
PROCEDURE 
D cannot 
access 
the 


variables of PROCEDURE 
B. 


After 
MAIN 
calls 
PROCEDURE 
A, 


ENTER creates a new display for PROCE- 
DURE A with the first word pointing to the 
previous value of BP (BPM for LEAVE to 
return to the MAIN stack frame) and the 
second word pointing to the current value of 
BP. Procedure 
A can access variables 
in 


MAIN since MAIN is at level 1. Therefore 
the base for the dynamic storage for MAIN 
is at [BP- 
2]. All dynamic 
variables 
for 


MAIN will be at a fixed offset from this 
value. See figure 4-2b. 


After PROCEDURE 
A calls PROCEDURE 


B, ENTER 
creates 
a 
new 
display 
for 


PROCEDURE 
B with the first word point- 


ing to the previous value of BP, the second 
word pointing to the value of BP for MAIN, 
and the third word pointing to the value of 
BP for A and the last word pointing to the 
current BP. B can access variables in A and 
MAIN by fetching from the display the base 
addresses of the respective dynamic storage 
areas. See figure 4-2c. 


After PROCEDURE 
B calls PROCEDURE 


C, 
ENTER 
creates 
a new display 
for 


PROCEDURE 
C with the first word point- 


ing to the previous value of BP, the second 
word pointing to the value of BP for MAIN, 
and the third word pointing to the BP value 
for A and the third word pointing to the 
current value of BP. Because PROCEDURE 
B and PROCEDURE C have the same lexical 
level, PROCEDURE 
C is not allowed access 


to variables 
in B and therefore 
does not 


receive 
a 
pointer 
to 
the 
beginning 
of 


PROCEDURE 
B's 
stack 
frame. 
See 


figure 4-2d. 
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Figure 4·2c. 
Stack Frame for Procedure 
B at 
Level 3 Called from A 


LEAVE 
(Leave Procedure) reverses the action 
of the previous ENTER 
instruction. 
The 
LEA VE instruction 
does not include 
any 
operands. 


Example: 
LEAVE 


First, LEAVE copies BP to SP to 
release all stack space allocated to 
the procedure by the most recent 
ENTER 
instruction. 
Next, 
LEAVE pops the old value of BP 
from the stack. 
A subsequent 
RET instruction can then remove 
any arguments that were pushed 
on the 
stack 
by 
the 
calling 
program 
for use by the called 
procedure. 
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Figure 4·2d. 
Stack Frame for Procedure 
C at 
Level 3 Called from B 


BOUND (Detect Value Out of Range) verifies 
that the signed value contained 
in the speci- 
fied register 
lies within 
specified 
limits. 
An 
interrupt 
(INT 
5) 
occurs 
if 
the 
value 
contained 
in the register is less than the lower 
bound or greater 
than the upper bound. 


The 
BOUND 
instruction 
includes 
two 
operands. 
The 
first 
operand 
specifies 
the 
register 
being 
tested. 
The 
second 
operand 
contains 
the effective 
relative 
address 
of the 
two 
signed 
BOUND 
limit 
values. 
The 
BOUND 
instruction 
assumes 
that 
it can 
obtain the upper limit from the memory 
word 
that 
immediately 
follows 
the 
lower 
limit. 


These 
limit 
values 
cannot 
be 
register 
operands; 
if they 
are, 
an 
invalid 
opcode 
exception 
occurs. 


BOUND 
is useful for checking 
array 
bounds 
before using a new index value to access 
an 
element 
within 
the array. 
BOUND 
provides 
a simple way to check the value of an index 
register 
before the program 
overwrites 
infor- 
mation 
in a location 
beyond 
the limit of the 


array. 


The two-word 
block of memory 
that specifies 


the lower and upper limits of an array 
might 
typically 
reside just 
before 
the 
array 
itself. 


This makes the array 
bounds 
accessible 
at a 


constant 
offset of - 4 from the beginning 
of 
the array. 
Because 
the address 
of the array 


will already 
be 
present 
in a register, 
this 


practice avoids extra calculations 
to obtain the 


effective address of the array bounds. 


Compares 
the value 
in BX with 


the 
lower 
limit 
at 
address 


ARRAY -4 and the upper 
limit 
at address 
ARRAY 
- 2. If the 


signed value in BX is less than the 
lower bound 
or greater 
than 
the 


upper bound, the interrupt 
for this 


instruction 
(INT 
5) 
occurs. 


Otherwise, 
this instruction 
has no 


effect. 
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CHAPTER 5 
REAL ADDRESS MODE 


The iAPX 
286 can be operated 
in either 
of 


two 
modes 
according 
to the 
status 
of the 
Protection 
Enabled 
bit of the 
MSW 
status 
register. 
In contrast 
to the 
"modes" 
and 


"mode bits" of some processors, 
however, the 
iAPX 
286 modes do not represent 
a radical 
transition 
between 
conflicting 
architectures. 
Instead, 
the setting of the Protection 
Enabled 
bit 
simply 
determines 
whether 
certain 
advanced 
features, 
in addition 
to the baseline 
architecture 
of 
the 
iAPX 
286, 
are 
to 
be 
made 
available 
to 
system 
designers 
and 
programmers. 


If the Protection 
Enabled 
(PE) 
bit is set by 
the programmer, 
the processor 
changes 
into 
Protected 
Virtual 
Address 
Mode. 
In this 
mode 
of operation, 
memory 
addressing 
is 
performed 
in terms of virtual 
addresses, 
with 
on-chip mapping 
mechanisms 
performing 
the 


virtual-to-physical 
translation. 
Only 
in this 
mode can the system designer make use of the 
advanced 
architectural 
features 
of the iAPX 


286: virtual 
memory 
support, 
system-wide 
protection, 
and built-in 
multitasking 
mecha- 
nisms are among the new features 
provided in 


this mode of operation. 
Refer 
to Part 
II of 
this 
manual 
(Chapters 
6 through 
11) for 
details on Protected 
Mode operation. 


Initially, 
upon 
system 
reset, 
the 
processor 
starts up in Real Address Mode. In this mode 
of 
operation, 
all 
memory 
addressing 
is 
performed 
in terms of real physical addresses. 
In effect, the architecture 
of the iAPX 286 in 


this mode is identical 
to that of the 8086 and 
other processors 
in the iAPX 
86 family. 
The 
principal 
features 
of this 
baseline 
architec- 
ture have already 
been discussed 
throughout 
Part I (Chapters 
2 through 
4) of this manual. 


This 
chapter 
discusses 
certain 
additional 


topics-addressing, 
interrupt 
handling, 
and 


system 
initialization-that 
complete 
the 
system programmer's 
view of the iAPX 
286 
in Real Address 
Mode. 


5.1 
ADDRESSING AND SEGMENTATION 


Like other processors 
in the iAPX 86 family, 
the 
iAPX 
286 
provides 
a one-megabyte 
memory 
space (220 bytes) 
when operated 
in 
Real Address 
Mode. 
Physical 
addresses 
are 
the 20-bit values that 
uniquely 
identify 
each 
byte location 
in this address 
space. 
Physical 
addresses, 
therefore, 
may 
range 
from 
0 
through 
FFFFFH. 


An address 
is specified 
by a 32-bit 
pointer 
containing 
two components: 
(I) 
a 16-bit 
effective 
address 
offset 
that 
determines 
the 
displacement, 
in bytes, of a particular 
location 
within 
a segment; 
and (2) a 16-bit segment 
selector component 
that determines 
the start- 
ing address of the segment. 
Both components 
of an address may be referenced 
explicitly 
by 


an instruction 
(such 
as JMP, 
LES, 
LDS, 
or 
CALL); 
more 
often, 
however, 
the 
segment 


selector 
is simply the contents 
of a segment 
register. 


The interpretation 
of the first component, 
the 
effective 
address 
offset, 
is straight-forward. 
Segments 
are 
at 
most 
64K 
(216) 
bytes 
in 
length, 
so an unsigned 
16-bit 
quantity 
is 
sufficient 
to 
address 
any 
arbitrary 
byte 
location with a segment. The lowest-addressed 
byte within a segment 
has an offset of 0, and 
the highest-addressed 
byte 
has an offset 
of 
FFFFH. 
Data 
operands 
must 
be completely 
contained 
within 
a segment 
and 
must 
be 
contiguous. 
(These rules apply in both modes.) 


A segment 
selector 
is the second component 
of a logical 
address. 
This 
16-bit 
quantity 
specifies 
the 
starting 
address 
of a segment 
within a physical 
address 
space of 220 bytes. 


Whenever the iAPX 286 accesses memory in 
Real Address Mode, it generates a 20-bit 
physical address from a segment selector and 
offset value. The segment selector value is left- 
shifted four bit positions to form the segment 
base address. The offset is extended with 4 
high order zeroes and added to the base to 
form the physical address (see figure 5-1.) 


Therefore, every segment is required to start 
at a byte address that is evenly divisible by 
16; thus, each segment is positioned at a 
20-bit physical address whose least signifi- 
cant four bits are zeroes. This arrangement 
allows the iAPX 286 to interpret a segment 


selector as the high-order 16 bits of a 20-bit 
segment base address. 


No limit or access checks are performed by 
the iAPX 286 in the Real Address Mode. All 
segments are readable, writable, executable, 
and have a limit of OFFFFH (65535 bytes). 
To save physical memory, you can use unused 
portions of a segment as another segment by 
overlapping the two (see figure 5-2). The Intel 
iAPX 86 software development tools support 
this feature 
via the segment override and 
group operators. 
However, programs 
that 


access segment B from 
segment A become 


incompatible in the protected virtual address 
mode. 
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Figure 5·2. 
Overlapping 
Segments 
to Save 
Physical Memory 


Program 
interrupts 
may be generated 
in either 
of two distinct 
ways. An internal interrupt 
is 
caused 
directly 
by the 
currently 
executing 
program. 
The 
execution 
of 
a particular 
instruction 
results 
in the 
occurrence 
of an 
interrupt, 
whether 
intentionally 
(e.g., an INT 
instruction) 
or as an unanticipated 
exception 
(e.g., invalid opcode). 
On the other hand, 
an 
external interrupt 
occurs 
asynchronously 
as 
the result of an event external 
to the proces- 
sor, and bears no necessary 
relationship 
with 
the currently 
executing 
program. 
The INTR 
and NMI 
pins of the iAPX 
286 provide 
the 
means by which external 
hardware 
signals the 
occurrence 
of such events. 


5.2.1 
Interrupt Vector Table 


Whatever 
its origin, 
whether 
internal 
or 
external, 
an interrupt 
demands 
immediate 
attention 
from an associated 
service routine. 
Control 
must be transferred, 
at least for the 
moment, 
from 
the 
currently 
executing 
program 
to the appropriate 
interrupt 
service 
routine. 
By means 
of interrupt 
vectors, 
the 
iAPX 
286 handles 
such 
control 
transfers 
uniformly 
for both kinds of interrupts. 


An interrupt 
vector is an unsigned 
integer 
in 
the range of 0-255; every interrupt 
is assigned 
such a vector. In some cases, the assignment 
is predetermined 
and fixed: for example, 
an 
external 
NMI 
interrupt 
is invariably 
associ- 
ated with vector 
2, while an internal 
divide 
exception 
is always associated 
with vector 
O. 
In most cases, however, the association 
of an 
interrupt 
and a vector is established 
dynami- 
cally. 
An 
external 
INTR 
interrupt, 
for 
example, 
supplies 
a vector 
in response 
to an 
interrupt 
acknowledge 
bus cycle, 
while 
the 
INT 
instruction 
supplies 
a vector 
incorpo- 
rated within the instruction 
itself. The vector 
is shifted 
two 
places 
left 
to form 
a byte 
address 
into 
the 
table 
(see 
figure 5-3). 


In any case, the iAPX 286 uses the interrupt 
vector 
as an index 
into 
a table 
in order 
to 
determine 
the 
address 
of the corresponding 
interrupt 
service 
routine. 
For Real 
Address 
Mode, 
this table 
is known 
as the 
Interrupt 
Vector 
Table. 
Its 
format 
is illustrated 
in 
figure 5-3. 


The 
Interrupt 
Vector 
Table 
consists 
of as 
many 
as 256 consecutive 
entries, 
each 
four 
bytes long. Each entry defines the address 
of 
a service 
routine 
to be associated 
with 
the 
correspondingly 
numbered 
interrupt 
vector 
code. Within 
each entry, 
an address 
is speci- 
fied by a full 32-bit pointer 
that consists of a 
16-bit offset and a 16-bit segment 
selector. 


In Real Address Mode, the interrupt 
table can 
be accessed 
directly 
at physical 
memory 
location 
0 through 
1023. 
In the 
protected 
virtual 
address 
mode, however, 
the interrupt 
vector table has no fixed physical 
address 
and 
cannot 
be directly 
accessed. 
Therefore, 
Real 
Address 
mode 
programs 
that 
directly 
manipulate the interrupt vector table will not 
work in the protected virtual address mode 
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5.2.1.1 
INTERRUPT PRIORITIES 


When simultaneous 
interrupt 
requests 
occur, 
they are processed 
in a fixed order as shown 


in table 
5-1. Interrupt 
processing 
involves 
saving 
the 
flags, 
the 
return 
address, 
and 


setting CS:IP 
to point at the first instruction 


of the interrupt 
handler. 
If other 
interrupts 


remain enabled, 
they are processed 
before the 
first 
instruction 
of the 
current 
interrupt 
handler 
is executed. 
The 
last 
interrupt 
processed 
is therefore 
the first one serviced. 


5.2.2 Interrupt Procedures 


When 
an interrupt 
occurs 
in Real 
Address 
Mode, 
the iAPX 
86 performs 
the following 
sequence of steps. First, the FLAGS 
register, 
as well as the old values 
of CS and IP, are 
pushed 
onto the stack 
(see figure 
5-4). The 
IF and TF flag bits are cleared. 
The vector 
number 
is then 
used to read 
the address 
of 
the interrupt 
service routine 
from the inter- 
rupt table. Execution 
begins at this address. 


Order 
Interrupt 


1. 
INT instruction 
or exception 


2. 
Single step 


c 


3. 
NMI 
4. 
Processor 
extension 
segment 
overrun 


5. 
INTR 


! 
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ADDRESSES 
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Figure 
5·4. 
Stack 
Structure 
After 
Interrupt 


(Real Address 
Mode) 


Thus, when control is passed to an interrupt 
service routine, the return linkage is placed 
on the stack, interrupts 
are disabled, 
and 
single-step trace (if in effect) is turned off. 
The IRET instruction at the end of the inter- 
rupt service routine will reverse these steps 
before transferring 
control to the program 


that was interrupted. 


An interrupt service routine may affect regis- 
ters other than other IP, CS, and FLAGS. It 
is the responsibility of an interrupt routine to 
save additional context information 
before 


proceeding so that the state of the machine 
can be restored upon completion of the inter- 
rupt service routine 
(PUSHA 
and POP A 


instructions 
are intended 
for these opera- 


tions). 
Finally, 
execution 
of the 
IRET 


instruction pops the old IP, CS, and FLAGS 
from the stack and resumes the execution of 
the interrupted program. 


5.2.3 
Reserved and Dedicated Interrupt 
Vectors 


In general, the system designer is free to use 
almost any interrupt 
vectors for any given 


purpose. 
Some 
of the 
lowest-numbered 


vectors, however, are reserved by Intel for 
dedicated functions; their use is specifically 
implied by certain types of exceptions. None 
of the first 32 vectors should be defined by 
the user; these vectors are either invoked by 
pre-defined exceptions or reserved by Intel for 
future 
expansion. 
Table 
5-2 shows 
the 
dedicated and reserved vectors of the iAPX 
286 in Real Address Mode. 


The purpose and function of the dedicated 
interrupt 
vectors 
may be summarized 
as 


follows (the saved value of CS:IP will include 
aI/leading prefixes): 


• 
Divide error (Interrupt 0). This exception 
will occur if the quotient is too large or 
an attempt is made to divide by zero using 


either the DIV or IDIV instruction. The 
saved CS:IP points at the first byte of the 
failing 
instruction. 
DX and AX are 
unchanged. 


• 
Single-Step 
(Interrupt I). This interrupt 
will occur after each instruction if the 
Trace Flag (TF) bit of the FLAGS regis- 
ter is set. Of course, TF is cleared upon 
entry to this or any other interrupt 
to 
prevent 
infinite 
recursion. 
The saved 
value of CS:IP will point to the next 
instruction. 


• 
Nonmaskable 
(Interrupt 2). This inter- 


rupt will occur upon receipt of an exter- 
nal signal on the NMI pin. Typically, the 
nonmaskable interrupt is used to imple- 
ment power-fail/auto-restart 
procedures. 
The saved value of CS:IP will point to the 
first byte of the interrupted instruction. 


• 
Breakpoint 
(Interrupt 
3). Execution of 
the one-byte breakpoint instruction causes 
this interrupt to occur. This instruction is 
useful for the implementation of software 
debuggers since it requires only one code 
byte and can be substituted 
for any 
instruction opcode byte. The saved value 
of 
CS:IP 
will 
point 
to 
the 
next 
instruction. 


• 
INTO Detected Overflow (Interrupt 4). 
Execution of the INTO instruction will 
cause 
this 
interrupt 
to occur 
if the 
overflow bit (OF) of the FLAGS register 
is set. The saved value of CS:IP will point 
to the next instruction. 


• 
BOUND Range Exceeded (Interrupt 5). 
Execution of the BOUND instruction will 
cause this interrupt to occur if the speci- 
fied array index is found to be invalid 
with respect to the given array bounds. 
The saved value of CS:IP will point to the 
first byte of the BOUND instruction. 


Interrupt 
Related 
Return Address 
Function 
Before Instruction 
Number 
Instructions 
Causing Exception? 


Divide error exception 
0 
DIV,IDIV 
Yes 


Single step interrupt 
1 
All 
NjA 


.. 


NMI interrupt 
2 
All 
NjA 


1 
, 


Breakpoint interrupt 
3 
INT 
, 
, 
NjA 
- 


INTO detected overflow exception 
4 
INTO 
, 
No 


BOUND range exceeded exception 
5 
BOUND 
Yes 


Invalid opcode exception 
6 
Any undefined opcode 
Yes 


Processor 
extension 
not 
available 
7 
ESe or WAIT with 
Yes 
exception 


Interrupt table limit too small 
8 
L1DT 
Yes 
. 


Processor extension segment overrun 
9 
ESe 
Yes 
interrupt 


Segment overrun exception 
13 
All memory reference 
Yes 
instructions 


Reserved 
10-12,14,15 


Processor extension error interrupt 
16 
ESe or WAIT 
NjA 


..-. 


Reserved 
- . 
17-31 


I 


User defined 
, 
I 
• 
32-255 
; 


• 
Invalid 
Opcode 
(Interrupt 
6). 
This 
exception will occur if execution of an 
invalid opcode is attempted. 
(In Real 
Address Mode, most of the Protected 
Virtual Address Mode instructions 
are 
classified as invalid and should not be 
used). This interrupt can also occur if the 
effective 
address 
given 
by 
certain 


instructions, 
notably 
BOUND, 
LDS, 


LES, and LIDT, 
specifies 
a register 


rather than a memory location. The saved 
value of eS:IP will point to the first byte 
of the invalid instruction or opcode. 


• 
Processor 
Extension 
Not 
Available 


(Interrupt 
7). Execution 
of the ESe 


instruction will cause this interrupt 
to 


occur 
if the 
status 
bits 
of the 
MSW 


indicate 
that 
processor 
extension 


functions 
are to be emulated 
in software. 
Refer 
to section 
3.10 for more 
details. 
The saved value of eS:IP 
will point to the 


first 
byte 
of 
the 
ESe 
or 
the 
WAIT 


instruction. 


• 
Interrupt 
Table Limit 
Too Small 
(Inter- 


rupt 8). This interrupt 
will occur 
if the 


limit 
of the 
interrupt 
vector 
table 
was 


changed 
from 
3FFH 
by 
the 
LIDT 


instruction. 
The saved value of eS:IP 
will 


point to the first byte of the instruction 
that 
caused 
the 
interrupt 
or 
that 
was 


ready to execute before an external 
inter- 


rupt occurred. 


• 
Processor 
Extension 
Segment 
Overrun 


Interrupt 
(Interrupt 
9). The interrupt 
will 


occur 
if a processor 
extension 
memory 


operand 
does not fit in a segment. 
The 


saved eS:IP 
will point at the first byte of 


the instruction 
that caused the interrupt. 


• 
Segment 
Overrun 
Exception 
(Interrupt 


13). This interrupt 
will occur if a memory 


operand 
does not fit in a segment. 
The 


saved eS:IP 
will point at the first byte of 


the instruction 
that caused the interrupt. 


• 
Processor Extension 
Error (Interrupt 
16). 
This interrupt 
occurs 
after 
the numeric 


instruction 
that 
caused 
the error. 
It can 


only occur while executing 
a subsequent 


WAIT or ESe. 
The saved value of eS:IP 


will point to the first byte of the ESe 
or 


the WAIT 
instruction. 
The address of the 


failed numeric 
instruction 
is saved in the 


NPX. 


5.3 
SYSTEM 
INITIALIZATION 


The 
iAPX 
286 provides 
an orderly 
way to 


start 
or restart 
an executing 
system. 
Upon 


receipt of the RESET 
signal, certain 
proces- 


sor registers 
go into 
the 
determinate 
state 


shown in table 5-3. 


Register 
Contents 


FLAGS 
0002 
MSW 
FFFO 
IP 
FFFO 
CS 
FOOO 
OS 
0000 
SS 
0000 
ES 
0000 


Since 
the 
es 
register 
contains 
FOOO (thus 
specifying 
a code segment 
starting 
at physi- 
cal address FOOOO)and the instruction 
pointer 
contains 
FFFO, the processor 
will execute 
its 
first instruction 
at physical address 
FFFFOH. 


The uppermost 
16 bytes of physical 
memory 
are therefore 
reserved for initial startup 
logic. 
Ordinarily, 
this location 
contains 
an interseg- 
ment direct JMP 
instruction 
whose target 
is 
the actual beginning 
of a system initialization 
or restart 
program. 


Some of the steps normally 
performed 
by a 
system initialization 
routine 
are as follows: 


• 
Allocate 
a stack. 


• 
Load programs 
and data from secondary 
storage into memory. 


• 
Initialize 
external 
devices. 


• 
Enable 
interrupts 
(i.e., set the IF bit of 
the 
FLAGS 
register). 
Set 
any 
other 
desired FLAGS 
bit as well. 


• 
Set 
the 
appropriate 
MSW 
flags 
if a 
processor 
extension 
is present, 
or 
if 
processor 
extension 
functions 
are 
to be 
emulated 
by software. 


• 
Set other registers, 
as appropriate, 
to the 
desired initial values. 


• 
Execute. 
(Ordinarily, 
this 
last 
step 
is 
performed 
as an intersegment 
JMP to the 
main system program.) 


Memory Management And 
6 
Virtual Addressing 


CHAPTER 6 
MEMORY MANAGEMENT AND VIRTUAL ADDRESSING 


In Protected Virtual Address Mode, the iAPX 
286 provides an advanced architecture 
that 
retains substantial compatibility with the 8086 
and other processors in the iAPX 86 family. 
In many respects, the baseline architecture of 
the processor remains constant regardless of 
the mode of operation. Application program- 
mers continue to use the same set of instruc- 
tions, addressing modes, and data types in 
Protected Mode as in Real Address Mode. 


The major difference between the two modes 
of operation 
is that 
the Protected 
Mode 
provides system programmers with additional 
architectural features, supplementary to the 
baseline architecture, that can be used to good 
advantage in the design and implementation 
of advanced systems. Especially noteworthy 
are the mechanisms 
provided for memory 
management, protection, and multitasking. 


This chapter focuses on the memory manage- 
ment mechanisms of Protected 
Mode; the 
concept of a virtual address and the process 
of virtual-to-physical address translation are 
described in detail in this chapter. 
Subse- 
quent chapters deal with other key aspects of 
Protected 
Mode 
operation. 
Chapter 
7 
discusses the issue of protection 
and the 


integrated mechanisms that support a system- 
wide protection policy. Chapter 8 discusses the 
notion of a task and its central role in the 
iAPX 286 architecture. Chapters 9 through 
11 discuss certain additional topics-inter- 
rupt handling, special instructions, 
system 
initialization, etc.-that 
complete the system 
programmer's 
view of iAPX 286 Protected 
Mode. 


6.1 
MEMORY MANAGEMENT OVERVIEW 


A memory management scheme interposes a 
mapping operation between logical addresses 


(i.e., 
addresses 
as they 
are 
viewed 
by 
programs) and physical addresses (i.e., actual 
addresses in real memory). Since the logical 
address spaces are independent of physical 
memory 
(dynamically 
relocatable), 
the 
mapping (the assignment of real address space 
to virtual address space) is transparent 
to 
software. This allows the program develop- 
ment tools (for static systems) or the system 
software (for reprogram mabie systems) to 
control the allocation of space in real memory 
without regard to the specifics of individual 
programs. 


Application programs may be translated and 
loaded independently since they deal strictly 
with virtual addresses. Any program can be 
relocated to use any available segments of 
physical memory. 


The iAPX 286, when operated in Protected 
Mode, provides an efficient on-chip memory 
management 
architecture. 
Moreover, 
as 
described in Chapter 11, the iAPX 286 also 
supports 
the 
implementation 
of virtual 
memory 
systems-that 
is, systems 
that 
dynamically swap chunks of code and data 
between real memory and secondary storage 
devices (e.g., a disk) independent 
of and 
transparent 
to the executing 
application 
programs. Thus, a program-visible address is 
more aptly termed a virtual address rather 
than a logical address since it may actually 
refer to a location not currently present in real 
memory. 


Memory management, 
then, consists of a 
mechanism for mapping the virtual addresses 
that 
are visible to the program 
onto the 
physical addresses of real memory. With the 
iAPX 286, segmentation is the key to virtual 
memory addressing. Virtual memory is parti- 


which 
are 
the 
units 
of memory 
that 
are 


mapped 
into physical 
memory 
and swapped 


to and from secondary 
storage 
devices. Most 


of this chapter 
is devoted to a detailed 
discus- 


sion of the 
mapping 
and 
virtual 
memory 


mechanisms 
of the iAPX 286. 


The concept of a task also plays a significant 
role in memory 
management 
since 
distinct 


memory 
mappings 
may 
be assigned 
to the 


different 
tasks 
in a multi task 
or multi-user 


environment. 
A complete 
discussion 
of tasks 


is deferred 
until Chapter 
8, "Tasks 
and State 


Transition." 
For present 
purposes, 
it is suffi- 


cient to think of a task as an ongoing process, 
or execution 
path, 
that 
is dedicated 
to a 


particular 
function. 
In a multi-user 
time- 


sharing 
environment, 
for 
example, 
the 


processing 
required 
to interact 
with a partic- 


ular user may be considered 
as a single task, 


functionally 
independent 
of the 
other 
tasks 


(i.e., users) in the system. 


6.2 
VIRTUAL ADDRESSES 


In Protected 
Mode, application 
programs 
deal 


exclusively 
with virtual 
addresses; 
programs 


have 
no access 
whatsoever 
to the 
actual 


physical 
addresses 
generated 
by the proces- 


sor. As discussed 
in Chapter 
2, an address 
is 


specified 
by a program 
in terms 
of two 


components: 
(I) 
a 
16-bit 
effective 
address 


offset 
that 
determines 
the 
displacement, 
in 
bytes, of a location 
within a segment; 
and (2) 


a 16-bit segment 
selector that uniquely 
refer- 


ences a particular 
segment. 
Jointly, 
these two 


components 
constitute 
a complete 
32-bit 


address 
(pointer 
data 
type), 
as 
shown 
in 


figure 6-1. 


These 
32-bit 
virtual 
addresses 
are 
manipu- 


lated by programs 
in exactly the same way as 


the two-component 
addresses of Real Address 


Mode. 
After 
a program 
loads 
the 
segment 


selector 
component 
of an 
address 
into 
a 


to locations 
within 
the 
selected 
segment 


requires 
only a 16- bit offset 
be specified. 


Locality 
of reference 
will ordinarily 
insure 


that addresses can be specified very efficiently 
using only 16-bit offsets. 


An 
important 
difference 
between 
Real 
Address Mode and Protected 
Mode, however, 


concerns 
the actual 
format 
and information 
content of segment selectors. 
In Real Address 
Mode, as with the 8086 and other processors 
in the iAPX 
86 family, 
a 16-bit 
selector 
is 


merely the upper bits of a segment's 
physical 
base address. 
By contrast, 
segment 
selectors 


in Protected 
Mode follow an entirely 
differ- 
ent format, 
as illustrated 
by figure 6-2. 


Two of the selector 
bits, 
designated 
as the 
RPL 
field 
in figure 
6-2, 
are 
not 
actually 


involved in the selection 
and specification 
of 
segments; their use is discussed 
in Chapter 
7. 
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Figure 6-2. Format of the Segment Selector 


Component 


The remaining 14 bits of the selector compo- 
nent uniquely designate a particular segment. 
The virtual 
address 
space of a program, 


therefore, may encompass as many as 16,384 
(214) distinct segments. Segments themselves 
are of variable size, ranging from as small as 
a single byte to as large as 64K (216) 
bytes. 
Thus, a program's virtual address space may 
contain, altogether, 
up to a full gigabyte 


(230 = 214 X 216) of individually addressable 
byte locations. 


The entirety of a program's virtual address 
space is further subdivided into two separate 
halves, as distinguished by the TI ("table 
indicator") bit in the virtual address. These 
two halves are the global address space and 
the local address space. 


The global address space is used for system- 
wide data and procedures including operating 
system software, library routines, 
runtime 


language support and other commonly shared 


system services. (To application programs, the 
operating system appears to be a set of service 
routines 
that 
are accessible 
to all tasks.) 
Global space is shared by all tasks to avoid 
unnecessary 
replication 
of system service 
routines and to facilitate 
shared data 
and 
interrupt handling. Global address space is 
defined by addresses with a zero in the TI bit 
position; it is identically mapped for all tasks 
in the system. 


The other half of the virtual address space- 
comprising those addresses with the TI bit 
set-is 
separately mapped for each task in the 
system. Because such an address space is local 
to the task for which it is defined, it is referred 
to as a local address space. In general, code 
and data 
segments 
within 
a task's 
local 
address space are private to that particular 
task or user. Figure 6-3 illustrates the task 
isolation made possible by partitioning 
the 
virtual address spaces into local and global 
regions. 


TASK 3 VIRTUAL ADDRESS SPACE~ 


Within each of the two regions addressable 
by a program--either 
the global address space 


or a particular local address space-as 
many 


as 8,192 (213) 
distinct 
segments 
may be 


defined. The INDEX 
field of the segment 


selector allows for a unique specification of 
each of these segments. This 13-bit quantity 
acts as an index into a memory-resident table, 
called a descriptor table, that 
records the 


mapping between segment address and the 
physical locations allocated to each distinct 
segment. (These descriptor tables, and their 
role in virtual-to-physical address translation, 
are described in the sections that follow.) 


In summary, 
a Protected 
Mode 
virtual 


address is a 32-bit pointer to a particular byte 
location within a one-gigabyte virtual address 
space. Each such pointer consists of a 16-bit 
selector 
component 
and 
a 16-bit 
offset 


component. The selector component, in turn, 
comprises a 13-bit table index, a I-bit table 
indicator (local versus global), and a 2-bit 
RPL field; all but this last field serve to select 
a particular segment from among the 16K 
segments in a task's virtual address space. The 
offset component 
of a full pointer 
is an 


unsigned 
16-bit integer that specifies the 


desired byte location 
within 
the selected 


segment. 


6.3 
DESCRIPTOR TABLES 


A descriptor table is a memory-resident table 
either defined by program development tools 
in a static system or controlled by operating 
system software in systems that are repro- 
grammable. 
The descriptor 
table contents 


govern the interpretation of virtual addresses. 
Whenever the iAPX 286 decodes a virtual 
address, translating a full 32-bit pointer into 
a corresponding 24-bit physical address, it 
implicitly references one of these tables. 


Within a Protected Mode system, there are 
ordinarily several descriptor tables resident in 


memory. One of these is the global descriptor 
table (GDT); this table provides a complete 
description of the global address space. In 
addition, there may be one or more local 
descriptor tables (LDTs), each describing the 
local address space of one or more tasks. 


For each task in the system, a pair of descrip- 
tor tables-consisting 
of the GDT (shared by 


all tasks) and a particular 
LDT (private to 
the task or to a group of closely related 
tasks)-provides 
a complete description 
of 
that task's virtual address space. The protec- 
tion mechanism 
described 
in Chapter 
7, 
"Protection," 
ensures that a task is granted 
access only to its own virtual address space. 
In the simplest of system configurations, tasks 
can reside entirely within the GDT without 
the use of local descriptor tables. This will 
simplify system software by only requiring 
maintenance of one table (the GDT) at the 
expense of no isolation between tasks. The 
point is: the iAPX 286 memory management 
scheme is flexible enough to accommodate a 
variety 
of implementations 
and does not 


require use of all possible facilities 
when 


implementing a system. 


The descriptor tables consist of a sequence of 
8-byte entries called descriptors. A descriptor 
table may contain from 1 to 8192 entries. 


Within a descriptor table, two main classes of 
descriptors are recognized by the iAPX 286 
architecture. 
The most important 
of these, 


from the standpoint of memory management, 
are called segment descriptors; these deter- 
mine the set of segments that are included 
within a given address space. The other class 
of special-purpose control descriptors-such 
as call 
gates 
and 
task 
descriptors-are 


provided to implement protection (described 
in succeeding chapters) 
and special system 


data segments. 


Figure 
6-4 shows 
the 
format 
of a segment 
descriptor. 
Note 
that it provides 
information 
about the physical-memory 
base address 
and 
size of a segment, 
as well as certain 
access 
information. 
If a particular 
segment 
is to be 
included 
within 
a virtual 
address 
space, then 
a segment 
descriptor 
that 
describes 
that 
segment 
must be included 
within 
the appro- 
priate descriptor 
table. Thus, within the GDT, 
there 
are segment 
descriptors 
for all of the 
segments 
that 
comprise 
a system's 
global 
address space. Similarly, 
within a task's LDT, 
there 
must 
be a descriptor 
for each 
of the 
segments that are to be included in that task's 
local address 
space. 


Each local descriptor 
table 
is itself a special 
system segment, 
recognizable 
as such by the 


iAPX 
286 architecture 
and 
described 
by a 


specific type of segment descriptor 
(see figure 
6-5). 
Because 
there 
is only 
a single 
GDT 


segment, 
it is not 
defined 
by a segment 
descriptor. 
Its base 
and 
size information 
is 
maintained 
in a dedicated 
register, 
GDTR, 
as 
described 
below (section 
6.6.2). 


Similarly, 
there 
is another 
dedicated 
register 
within the iAPX 286, LDTR, 
that records the 
base 
and size of the current 
LDT 
segment 


(i.e., the LDT 
associated 
with the currently 
executing 
task). 
The 
LDTR 
register 
state, 
however, is volatile: its contents 
are automat- 


ically altered 
whenever 
a task switch is made 


from one task to another. 
An alternate 
speci- 


fication 
independent 
of changeable 
register 
contents 
must 
therefore 
exist for each 
LDT 


in the system. This independent 
specification 


is accomplished 
by means 
of special 
system 
segment descriptors 
known as descriptor 
table 
descriptors 
or LDT descriptors. 


Figure 
6-5 shows the format 
of a descriptor 


table descriptor. 
(Note that it is distinguished 


from an ordinary 
segment 
descriptor 
by the 
contents 
of certain 
bits in the access 
byte.) 


This 
special 
type 
of descriptor 
is used 
to 
specify the physical 
base address 
and size of 
a local descriptor 
table that defines the virtual 
address 
space 
and 
address 
mapping 
for 
an 
individual 
user or task (figure 
6-6). 
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Each LOT segment in a system must lie 
within that 
system's global address space. 
Thus, all of the descriptor table descriptors 
must be included among the entries in the 
global descriptor table (the GOT) of a system. 
In fact, these special descriptors may appear 
only in the GOT. 
Reference 
to an LOT 
descriptor within an LOT will cause a protec- 
tion violation. Even though they are in the 
global address space available to all tasks, the 
descriptor table descriptors are protected from 
corruption within the GOT since they are 
special system segments 
and can only be 
accessed for loading into the LOTR register. 


6.4 
VIRTUAL- TO-PHYSICAL 
ADDRESS 
TRANSLATION 


The translation of a full 32-bit virtual address 
pointer into a real 24-bit physical address is 
shown by figure 6-7. When the segment's base 
address 
is determined 
as a result 
of the 
mapping process, the offset value is added to 
the result to obtain the physical address. 


The actual 
mapping 
is performed 
on the 
selector component of the virtual address. The 
16-bit segment selector is mapped to a 24-bit 
segment base address via a segment descrip- 
tor maintained in one of the descriptor tables. 


DESCRIPTOR 
ITABLE I 


INDEX -1--1 


The TI bit in the segment 
selector (see figure 
6-2) 
determines 
which 
of two 
descriptor 


tables, 
either 
the GDT 
or the current 
LDT, 


is to be chosen for memory mapping. 
In either 
case, using the GDTR 
or LDTR 
register, 
the 


processor 
can readily 
determine 
the physical 
base address of the memory-resident 
table. 


The 
INDEX 
field 
in the 
segment 
selector 


specifies a particular 
descriptor 
entry 
within 


the chosen table. The processor 
simply multi- 
plies this index value by 8 (the 
length 
of a 
descriptor), 
and adds the result 
to the base 


address 
of the 
descriptor 
table 
in order 
to 


access the appropriate 
segment 
descriptor 
in 
the table. 


Finally, 
the segment 
descriptor 
contains 
the 
physical 
base address 
of the target 
segment, 
as well as size (limit) 
and access information. 
The processor 
sums the 24-bit 
segment 
base 
and the specified 
16-bit offset to generate 
the 


resulting 
24-bit physical 
address. 


6.5 
SEGMENTS 
AND SEGMENT 
DESCRIPTORS 


Segments 
are the basic 
units 
of iAPX 
286 
memory management. 
In contrast 
to schemes 
based on fixed-size pages, segmentation 
allows 
for 
a 
very 
efficient 
implementation 
of 
software: 
variable-length 
segments 
can be 
tailored 
to the 
exact 
requirements 
of an 
application. 
Segmentation, 
moreover, 
is 
consistent 
with 
the 
way 
a 
programmer 
naturally 
deals with his virtual 
address 
space: 


programmers 
are encouraged 
to divide 
code 
and data 
into clearly 
defined 
modules 
and 
structures 
which 
are 
manipulated 
as 
con- 
sistent entities. 
This reduces 
(minimizes) 
the 
potential 
for 
virtual 
memory 
thrashing. 


Segmentation 
also eliminates 
the restrictions 
on data 
structures 
that 
span a page (e.g., 
a 
word that crosses page boundaries). 


Each segment 
within an iAPX 
286 system is 
defined 
by an associated 
segment 
descriptor, 


which may appear 
in one or more descriptor 
tables. 
Its inclusion 
within 
a descriptor 
table 
represents 
the 
presence 
of its 
associated 
segment 
within 
the 
virtual 
address 
space 
defined by that table. Conversely, 
its om mis- 
sion from a descriptor 
table 
means 
that 
the 
segment 
is absent 
from 
the 
corresponding 
address space. 


As shown previously 
in figure 
6-4, an 8-byte 
segment 
descriptor 
encodes 
the 
following 
information 
about a particular 
segment: 


• 
Size. This 16-bit field, comprising 
the first 
two bytes of a segment 
descriptor, 
speci- 
fies an unsigned integer as the size, in bytes 
(from I byte to 64K bytes), of the segment. 


Unlike segments 
in the 8086 (or the iAPX 
286 in Real 
Address 
Mode )-which 
are 
never explicitly 
limited 
to less than 
a full 
64K bytes-Protected 
Mode segments 
are 
always 
assigned 
a specific 
size value. 
In 


conjunction 
with 
the 
protection 
features 


described 
in Chapter 
7, this assigned 
size 


allows the enforcement 
of a very desirable 


and natural 
rule: 
inadvertent 
accesses 
to 


locations 
beyond 
a 
segment's 
actual 


boundaries 
are prohibited. 


• 
Base. This 24-bit field, comprising 
bytes 2 


through 
4 of a segment 
descriptor, 
speci- 


fies 
the 
physical 
base 
address 
of 
the 


segment; it thus defines the actual location 
of the segment within the l6-megabyte 
real 


memory 
space. The base may be any byte 


address 
within 
the 
16-megabyte 
real 


memory 
space. 


• 
Access. This 8-bit field comprises 
byte 5 of 


a segment 
descriptor. 
This 
access 
byte 


specifies 
a variety 
of additional 
informa- 


tion about a segment, particularly 
in regard 


to the protection 
features 
of the iAPX 286. 
For 
example, 
code 
segments 
are 
distin- 


guished 
from 
data 
segments; 
and certain 


special access restrictions 
(such as Execute- 


Only or Read-Only) 
may 
be defined 
for 


segments 
of each type. 


Figure 
6-8 shows the access byte format 
for 


both 
code 
and 
data 
segment 
descriptors. 


Detailed 
discussion 
of the protection 
related 


fields 
within 
an access 
byte 
(Conforming, 


Execute-Only, 
Descriptor 
Privilege 
Level, 
Expand 
Down, 
and 
Write-Permitted), 
and 


their use in implementing 
protection 
policies, 
is deferred 
to Chapter 
7. The 
two 
fields 
Accessed 
and 
Present 
are 
used 
for 
virtual 


memory 
implementations. 


6.6 
MEMORY MANAGEMENT REGISTERS 


The Protected 
Virtual Address 
Mode features 
of the iAPX 286 operate 
at high performance 
due to extensions 
to the basic iAPX 86 regis- 


ter set. Figure 
6-9 illustrates 
that 
portion 
of 
the extended 
register 
structure 
that 
pertains 
to memory 
management. 
(For 
a complete 
summary 
of all Protected 
Mode 
registers, 
refer to section 
10.1). 
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6.6.1 
Segment Address Translation 
Registers 


Figure 
6-9 shows the segment 
registers 
CS,DS,ES, and SS. In contrast to their usual 
representation, 
however, these registers are 
now depicted as 64-bit registers, each with 
"visible" and "hidden" components. 


The visible portions of these segment address 
translation 
registers 
are manipulated 
by 
programs exactly as if they were simply the 
16-bit segment registers 
of Real Address 
Mode. By loading a segment selector into one 
of these registers, the program makes the 
associated segment one of its four currently 
addressable segments. 


The operations that load these registers-or, 
more exactly, 
those that 
load the visible 
portion 
of these 
registers-are 
normal 
program instructions. These instructions may 
be divided into two categories: 


1. Direct load instructions. 
These instruc- 
tions (such as LDS, LES, MaY, 
pop, 


etc.) explicitly reference the SS, DS, or ES 
segment 
registers 
as the 
destination 
operand. 


2. Implied load instructions. These instruc- 
tions (such as CALL and JMP) implicitly 
reference the CS code segment register; as 
a result of these operations, the contents of 
CS are altered. 
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visible part of the segment register with a 
16-bit selector (i.e., the high-order word of a 
virtual address pointer). 
Whenever 
this is 


done, the processor automatically references 
the appropriate descriptor table and loads the 
hidden part of the segment register with a 
corresponding 48-bit descriptor. 


The correspondence 
between selectors and 


descriptors 
has 
already 
been 
described. 
Remember that the selector's TI bit indicates 
one of the two descriptor tables, either the 
LDT or the GDT. Within the indicated table, 
a particular entry is chosen by the selector's 
13-bit INDEX field. This index, scaled by a 


Iacwr 
01 
1'5, represents the relative displace- 


ment of the chosen table entry (a descriptor). 


Thus, so long as a particular selector value is 
valid (i.e., 
it points 
to a valid 
segment 


descriptor within the bounds of the descriptor 
table), it can be readily associated with an 
8-byte descriptor. When a selector value is 
loaded into the visible part of a segment 
register, the iAPX 286 automatically loads 6 
bytes of the associated descriptor 
into the 


hidden part of the register. These 6 bytes, 
therefore, contain the size, base, and access 
type of the selected segment. Figure 6-10 
illustrates 
this 
transparent 
process 
of 


descriptor loading. 
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In effect, the hidden descriptor fields of the 
segment registers function as the memory 
management cache of the iAPX 286. All the 
information required to address the current 
working set of segments-that 
is, the base 
address, 
size, 
and 
access 
rights 
of the 
currently addressable segments-is 
stored in 
this memory cache. Unlike the probabilistic 
caches of other architectures, 
however, the 
iAPX 286 cache is completely deterministic: 
the 
caching 
of descriptors 
is explicitly 
controlled by the program. 


Most memory references do not require the 
translation of a full 32-bit virtual address, or 
long pointer. Operands that are located within 
one of the currently addressable segments, as 
determined by the four segment registers, can 
be referenced very efficiently by means of a 
short pointer, which is simply a 16-bit offset. 


In fact, most iAPX 286 instructions reference 
memory locations in precisely this way, speci- 
fying only a 16-bit offset with respect to one 
of the currently addressable segments. The 
choice of segments (CS, DS, ES, or SS) is 
either implicit within the instruction itself, or 
explicitly specified by means of a segment- 
override prefix (as described in Chapter 2). 


Thus, 
in most cases, 
virtual-to-physical 
address translation is actually performed in 
two separate steps. First, when a program 
loads a new value into a segment register, the 
processor immediately performs a mapping 
operation; the physical base address of the 
selected segment (as well as certain additional 
information) is automatically loaded into the 
hidden portion of the register. The internal 
cache registers (virtual 
address translation 
hardware) are therefore dynamically shared 
among the 
16K different 
segments poten- 
tially addressable within the user's virtual 
address space. No software overhead (either 
system or application) is required to perform 
this operation. 


Subsequently, as the program utilizes a short 
pointer 
to reference 
a location 
within 
a 
segment, the processor generates 
a 24-bit 
physical address simply by adding the speci- 
fied offset value to the previously 
cached 
segment base address. By encouraging the use 
of short pointers in this way, rather 
than 
requiring a full 32-bit virtual address for every 
memory reference, the iAPX 286 provides a 
very efficient on-chip mechanism for address 
translation, 
with minimum 
overhead 
for 
references to memory-based tables or the need 
for external address-translation devices. 


6.6.2 
System Address Registers 


The 
Global 
Descriptor 
Table 
Register 
(GDTR) is a dedicated 40-bit (5 byte) regis- 
ter used to record the base and size of a 
system's global descriptor table (GDT). Thus, 
two of these bytes define the size of the GDT, 
and three bytes define its base address. 


In figure 6-9, the contents of the GDTR are 
referred to as a "hidden descriptor." The term 
"descriptor" here emphasizes the analogy with 
the segment descriptors ordinarily found in 
descriptor tables. Just as these descriptors 
specify the base and size (limit) of ordinary 
segments, the GDTR register specifies these 
same parameters for that segment of memory 
serving as the system GDT. The limit prevents 
accesses to descriptors 
in the GDT from 
accessing beyond the end of the GDT and thus 
provides address space isolation at the system 
level as well as at the task level. 


The register contents are "hidden" only in the 
sense that they are not accessible by means 
of 
ordinary 
instructions. 
Instead, 
the 
dedicated protected instructions LGDT and 
SGDT are reserved for loading and storing, 
respectively, the contents of the GDTR 
at 
Protected Mode initialization (refer to section 
10.2 for details). Subsequent alteration of the 
GDT base and size values is not recom- 
mended but is a system option at the most 


privileged level of software (see section 7.3 for 
a discussion 
of privilege levels). 


The Local Descriptor 
Table Register 
(LDTR) 
is a dedicated 
40-bit register 
that contains, 
at 
any given moment, 
the base and size of the 
local descriptor 
table 
(LDT) 
associated 
with 
the currently 
executing 
task. Unlike 
GDTR, 
the LDTR 
register 
contains 
both a "visible" 
and a "hidden" 
component. 
Only the visible 
component 
is accessible, 
while 
the 
hidden 
component 
remains 
truly inaccessible 
even to 
dedicated 
instructions. 


The 
visible 
component 
of the 
LDTR 
is a 
16-bit "selector" 
field. The format 
of these 
16 bits 
corresponds 
exactly 
to that 
of a 
segment 
selector 
in a virtual 
address 
pointer. 
Thus, it contains 
a 13-bit INDEX 
field, a 1- 
bit TI field, and a 2-bit RPL 
field. The TI 
"table 
indicator" 
bit must be zero, indicating 
a reference to the GDT (i.e., to global address 
space). 
The 
INDEX 
field 
consequently 
provides an index to a particular 
entry within 
the GDT. This entry, in turn, must be an LDT 
descriptor 
(or descriptor 
table descriptor), 
as 
defined 
in the previous 
section. 
In this way, 


the visible "selector" 
field of the LDTR, 
by 
selecting 
an LDT descriptor, 
uniquely 
desig- 
nates a particular 
LDT in the system. 


The dedicated, 
protected 
instructions 
LLDT 
and 
SLDT 
are 
reserved 
for 
loading 
and 
storing, 
respectively, 
the 
visible 
selector 
component 
of the 
LDTR 
register 
(refer 
to 
section 
10.2 for details). 
Whenever 
a new 


value 
is loaded 
into 
the 
visible 
"selector" 
portion 
of LDTR, 
an 
LDT 
descriptor 
will 


have 
been 
uniquely 
chosen 
(assuming, 
of 
course, that the "selector" 
value is valid). 
In 
this case, the iAPX 
286 automatically 
loads 
the hidden "descriptor" 
portion of LDTR 
with 
five bytes from 
the chosen 
LDT 
descriptor. 
Thus, 
size 
and 
base 
information 
about 
a 
particular 
LDT, 
as recorded 
in a memory- 
resident 
global 
descriptor 
table 
entry, 
is 
cached in the LDTR 
register. 


New 
values 
may 
be loaded 
into the 
visible 
portion 
of the 
LDTR 
(and, 
thus, 
into 
the 
hidden portion as well) in either of two ways. 
The LLDT 
instruction, 
during 
system initial- 
ization, is used explicitly to set an initial value 
for the LDTR 
register; 
in this way, a local 
address space is provided 
for the first task in 
a multitasking 
environment. 
After 
system 
startup, explicit changes are not required 
since 
operations 
that 
automatically 
invoke 
a task 
switch 
(described 
in section 
8.4) 
appropri- 
ately manage 
the LDTR. 


At all times, the LDTR 
register 
thus records 
the physical 
base 
address 
(and 
size) 
of the 
current 
task's 
LDT; 
the 
descriptor 
table 
required for mapping the current 
local address 
space, therefore, 
is immediately 
accessible 
to 
the processor. 
Moreover, 
since GDTR 
always 
maintains 
the base address 
of the GDT, 
the 
table 
that 
maps 
the global 
address 
space 
is 
similarly 
accessible. 
The two system 
address 
registers, 
GDTR 
and LDTR, 
act as a special 
processor 
cache, 
maintaining 
current 
infor- 
mation 
about 
the 
two 
descriptor 
tables 
required, at any given time, for addressing 
the 
entire current 
virtual 
address 
space. 
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CHAPTER 7 
PROTECTION 


7.1 
INTRODUCTION 


In most microprocessor 
based 
products, 
the 
product's 
availability, 
quality, 
and reliability 
are determined 
by the software 
it contains. 
Software 
is often 
the 
key 
to a product's 
success. Protection 
is a tool used to shorten 
software 
development 
time, 
and 
improve 
software 
quality 
and reliability. 


Program 
testing 
is an 
important 
step 
in 
developing 
software. 
A system 
with 
protec- 
tion will detect 
software 
errors 
more quickly 
and accurately 
than a system without 
protec- 
tion. Eliminating 
errors via protection 
reduces 
the development 
time for a product. 


Testing 
software 
is difficult. 
Many 
errors 
occur 
only 
under 
complex 
circumstances 
which are difficult 
to anticipate. 
The result is 
that 
products 
are 
shipped 
with 
undetected 
errors. 
When 
such 
errors 
occur, 
products 
appear 
unreliable. 
The impact 
of a software 
error 
is multiplied 
if it introduces 
errors 
in 
other 
bug-free 
programs. 
Thus, 
the 
total 
system reliability 
reduces 
to that of the least 
reliable program 
running 
at any given time. 


Protection 
improves the reliability 
of an entire 
system 
by preventing 
software 
errors 
in one 
program 
from 
affecting 
other 
programs. 
Protection 
can keep the system running 
even 
when some user program 
attempts 
an invalid 
or prohibited 
operation. 


Hardware 
protection 
performs 
run-time 
checks in parallel 
with the execution 
of the 
program. 
But, hardware 
protection 
has tradi- 
tionally 
resulted 
in a design 
that 
is more 
expensive 
and slower than 
a system 
without 
protection. 
However, 
the iAPX 
286 provides 
hardware-enforced 
protection 
without 
the 
performance 
or 
cost 
penalties 
normally 
associated 
with protection. 


The protected 
mode 
iAPX 
286 implements 
extensive 
protection 
by integrating 
these 
functions 
on-chip. 
The iAPX 
286 protection 
is more 
comprehensive 
and 
flexible 
than 
comparable 
solutions. It can locate and isolate 
a large number of program 
errors and prevent 
the propagation 
of such errors 
to other tasks 
or programs. 
The 
protection 
of the 
total 
system detects 
and isolates 
bugs both during 
development 
and installed 
usage. 


The remaining 
sections of this chapter 
explain 
the 
protection 
model 
implemented 
in the 
iAPX 286. 


7.1.1 Types of Protection 


Protection 
in the iAPX 
286 has three 
basic 
aspects: 


1. 
Isolation 
of system 
software 
from 
user 
applications. 


2. 
Isolation 
of users from each other (Inter- 
task protection). 


3. 
Data-type 
checking. 


The iAPX 
286 provides 
a four-level, 
ringed- 
type, 
increasingly-privileged 
protection 
mechanism 
to isolate 
applications 
software 
from various layers of system 
software. 
This 
is a major 
improvement 
and extension 
over 
the simpler two-level user jsupervisor 
mecha- 
nism 
found 
in 
many 
systems. 
Software 
modules 
in a supervisor 
level are 
protected 
from 
modules 
in the 
application 
level 
and 
from 
software 
in less privileged 
supervisor 
levels. 


Restricting 
the addressability 
of a software 
module enables an operating 
system to control 
system 
resources 
and 
priorities. 
This 
is 
especially 
important 
in an environment 
that 


supports 
multiple 
concurrent 
users. 
Multi- 


user, multi-tasking, 
and distributed 
process- 


ing systems 
require 
this complete 
control 
of 


system 
resources 
for 
efficient, 
reliable 


operation. 


The second 
aspect 
of protection 
is isolating 
users from each other. Without 
such isolation 


an error in one user program 
could affect the 
operation 
of another 
error-free 
user program. 
Such 
subtle 
interactions 
are 
difficult 
to 


diagnose 
and repair. 
The reliability 
of appli- 


cations programs 
is greatly enhanced 
by such 


isolation of users. 


Within a system or application 
level program, 


the iAPX 
286 will ensure 
that 
all code and 


data 
segments 
are properly 
used (e.g., 
data 
cannot 
be executed, 
programs 
cannot 
be 
modified, 
and offset must 
be within 
defined 


limits, 
etc.). 
Such 
checks 
are performed 
on 


every memory 
access to provide full run-time 
error checking. 


7.1.2 
Protection Implementation 


The 
protection 
hardware 
of the 
iAPX 
286 


establishes 
constraints 
on 
memory 
and 


instruction 
usage. 
The 
number 
of possible 
interactions 
between 
instructions, 
memory, 
and I/O 
devices is practically 
unlimited. 
Out 


of this very large field the protection 
mecha- 


nism 
limits 
interactions 
to 
a controlled, 


understandable 
subset. Within this subset fall 


the list of "correct" 
operations. 
Any opera- 


tion that does not fall into this subset 
is not 


allowed by the protection 
mechanism 
and is 


signalled 
as a protection 
violation. 


To understand 
protection 
on the iAPX 
286, 
you must begin with its basic parts: segments 
and tasks. iAPX 286 segments 
are the small- 


est region 
of memory 
which 
have 
unique 


protection 
attributes. 
Modular 
programming 


automatically 
produces 
separate 
regions 
of 


memory 
(segments) 
whose 
contents 
are 


treated 
as a whole. 
Segments 
reflect 
the 


natural 
construction 
of a program, 
e.g., code 


for module 
A, data 
for module 
A, stack 
for 


the task, 
etc. All parts 
of the 
segment 
are 


treated 
in the same 
way by the iAPX 
286. 


Logically separate 
regions of memory 
should 


be in separate 
segments. 


The memory 
segmentation 
model (see figure 


7-1) 
of the 
iAPX 
286 
was 
designed 
to 


optimally execute code for software 
composed 
of independent 
modules. 
Modular 
programs 
are 
easier 
to 
construct 
and 
maintain. 


Compared 
to monolithic 
software 
systems, 


modular 
software 
systems 
have 
enhanced 
capabilities, 
and are typically easier to develop 


and test for proper operation. 


Each segment 
in the system 
is defined 
by a 


memory-resident 
descriptor. 
The 
protection 


hardware 
prevents 
accesses 
outside 
the data 
areas 
and 
attempts 
to modify 
instructions, 


etc., as defined 
by the descriptors. 
Segmen- 


tation 
on the 
iAPX 
286 
allows 
protection 


hardware 
to be integrated 
into the CPU 
for 


full data access control without 
any perform- 
ance impact. 


The segmented 
memory 
architecture 
of the 


iAPX 
286 provides 
unique 
capabilities 
for 


regulating 
the 
transfer 
of control 
between 


programs. 


Programs 
are 
given 
direct 
but 
controlled 
access to other procedures 
and modules. 
This 
capability 
is the heart of isolating 
application 
and 
system 
programs. 
Since 
this 
access 
is 


provided and controlled 
directly 
by the iAPX 
286 
hardware, 
there 
is no 
performance 


penalty. 
A system 
designer 
can take 
advan- 


tage of the iAPX 286 access control to design 
high-performance 
modular 
systems 
with 
a 


high degree of confidence 
in the integrity 
of 


the system. 
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Access 
control 
between 
programs 
and the 
operating 
system is implemented 
via address 
space separation 
and a privilege 
mechanism. 
The address 
space control 
separates 
applica- 
tions 
programs 
from 
each 
other 
while 
the 
privilege mechanism 
isolates system software 
from 
applications 
software. 
The 
privilege 
mechanism 
grants 
different 
capabilities 
to 
programs 
to access 
code, 
data, 
and 
I/O 
resources 
based on the associated 
protection 
level. Trusted 
software that controls the whole 
system 
is typically 
placed 
at the most privi- 
leged 
level. Ordinary 
application 
software 
does 
not 
have 
to deal 
with 
these 
control 


mechanisms. 
They come into play only when 
there 
is a transfer 
of control 
between 
tasks, 
or if the Operating 
System 
routines 
have to 
be invoked. 


The protection 
features 
of multiple 
privilege 
levels extend to ensuring 
reliable 
I/O 
control. 


However, for a system designer to enable only 
one specific level to do I/O 
would excessively 
constrain 
subsequent 
extensions 
or applica- 
tion 
development. 
Instead, 
the 
iAPX 
286 
permits 
each task to be assigned 
a separate 
minimum 
level where 
I/O 
is allowed. 
I/O 
privilege is discussed 
in section 
10.3. 


and programs. 
Programs 
(e.g., instructions 
in 


code segments) 
are 
static 
and 
consist 
of a 


fixed set of code and data segments 
each with 


an associated 
privilege 
level. 
The 
privilege 


assigned 
to a program 
determines 
what 
the 


program 
may do when 
executed 
by a task. 
Privilege 
is assigned 
to a program 
when the 


system is built or when the program 
is loaded. 


Tasks are dynamic; 
they execute one or more 


programs. 
Task 
privilege 
changes 
with time 


according to the privilege level of the program 
being executed. 
Each task has a unique set of 


attributes 
that 
define 
it, e.g., address 
space, 
register 
values, stack, 
data, 
etc. A task may 


execute a program 
if that program 
appears 
in 


the task's address 
space. The rules of protec- 
tion control 
determine 
when a program 
may 
be executed 
by a task, 
and 
once 
executed, 


determine 
what the program 
may do. 


7.2 
MEMORY 
MANAGEMENT 
AND 
PROTECTION 


The protection 
hardware 
of the iAPX 
286 is 


related to the memory management 
hardware. 
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segments, 
they 
are 
stored 
along 
with 
the 
memory 
management 
information 
in the 
segment 
descriptor. 
The protection 
informa- 
tion is specified when the segment 
is created. 
In addition 
to privilege 
levels, the descriptor 
defines the segment type (e.g., Code segment, 
Data 
segment, 
etc.). 
Descriptors 
may 
be 
created 
either by program 
development 
tools 


or by a loader in a dynamically 
loaded repro- 


grammable 
environment. 


The protection 
control information 
consists of 


a segment 
type, its privilege 
level, and size. 
These 
are 
fields 
in the 
access 
byte 
of the 


segment 
descriptor 
(see 
figure 
7-2). 
This 


information 
is saved on-chip 
in the program- 
mer invisible section of the segment 
register 


for fast access during execution. 
These entries 


are changed 
only when a segment 
register 
is 
loaded. 
The 
protection 
data 
is used 
at two 
times: 
upon loading 
a segment 
register 
and 
upon each reference 
to the selected 
segment. 


The hardware 
performs 
several checks while 
loading 
a segment 
register. 
These 
checks 
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enforce 
the protection 
rules 
before 
any 


memory reference is generated. The hardware 
verifies that the selected segment is valid (is 
identified by a descriptor, is in memory, and 
is accessible from the privilege level in which 
the program is executing) and that the type 
is consistent with the target segment register. 
For example, you cannot load a read-only 
segment descriptor into SS because the stack 
must always be writable. 


Each reference into the segment defined by a 
segment register is checked by the hardware 
to verify that it is within the defined limits of 
the segment and is of the proper type. For 
example, a code segment or read-only data 
segment cannot be written. All these checks 
are made before the memory cycle is started; 
any violation will prevent that cycle from 
starting 
and cause an exception 
to occur. 


Since the checks are performed concurrently 
with address formation, there is no perform- 
ance penalty. 


By controlling the access rights and privilege 
attributes of segments, the system designer 
can assure a program will not change its code 
or over write data belonging to another task. 
Such assurances 
are vital to maintaining 


system integrity in the face of error-prone 
programs. 


7.2.1 
Separation of Address Spaces 


As described in Chapter 
6, each task can 


address up to a gigabyte (214-1 segments of 
up to 65536 bytes each) of virtual memory 
defined by the task's LDT (Local Descriptor 
Table) and the system GDT. Up to one-half 
gigabyte (213-1 segments of up to 65536 
bytes each) of the task's address space is 
defined by the LDT and represents the task's 
private address space. The remaining virtual 
address space is defined by the GDT and is 
common to all tasks in the system. 


Each descriptor table is itself a special kind 
of segment 
recognized 
by the iAPX 
286 
architecture. 
These tables 
are defined by 
descriptors in the GDT (Global Descriptor 
Table). The CPU has a set of base and limit 
registers that point to the GDT and the LDT 
of the currently running task. The descriptor 
table registers are loaded by a task switch 
operation. 


An active task can only load selectors that 
reference segments defined by descriptors in 
either the GDT or its private LDT. Since a 
task cannot reference 
descriptors 
in other 
LDTs, and no descriptors in its LDT refer to 
data or code belonging 
to other 
tasks, 
it 
cannot gain access to another tasks' private 
code and data (see figure 7-3). 


Since the GDT contains information that is 
accessible by all users (e.g., library routines, 
common data, Operating 
System services, 


etc.), the iAPX 286 uses privilege levels and 
special descriptor types to control access (see 
section 7.2.2). Privilege levels protect more 
trusted data and code (in GDT and LDT) 
from less trusted access (WITHIN 
a task), 
while the private 
virtual 
address 
spaces 
defined by unique LDTs provide protection 
BETWEEN tasks (see figure 7-4). 


7.2.2 
LOT and GOT Access Checks 


All descriptor tables have a limit used by the 
protection hardware to ensure address space 
separation of tasks. Each task's LDT can be 
a different size as defined by its descriptor in 
the GDT. The GDT may also contain less 
than 8091 descriptors as defined by the GDT 
limit value. The descriptor table limit identi- 
fies the last valid byte of the last descriptor 
in that table. Since each descriptor is eight 
bytes long, the limit value is N X 8- 1 for N 
descriptors. 


Any attempt by a program to load a segment 
register, 
local 
descriptor 
table 
register 


(LDTR), or task register (TR) with a selec- 
tor that refers to a descriptor outside the 
corresponding limit causes an exception with 
an error code identifying the invalid selector 
used (see figure 7-5). 


Not all descriptor entries in the GDT or LDT 
need contain a valid descriptor. There can be 


holes, or "empty" descriptors, in the LDT and 
GDT. "Empty" 
descriptors 
allow dynamic 


allocation and deletion of segments or other 
system objects without changing the size of 
the GDT or LDT. Any descriptor with an 
access byte equal to zero is considered empty. 
Any attempt to load a segment register with 
a selector that refers to an empty descriptor 
will cause an exception with an error code 
identifying the invalid selection. 
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After checking that a selector reference is 
within the bounds of a descriptor table and 
refers to a non-empty descriptor, the type of 
segment defined by the descriptor is checked 
against the destination register. Since each 
segment register has predefined 
functions, 
each must refer to certain types of segments 
(see section 7.4.1). An attempt 
to load a 
segment register in violation of the protection 
rules causes an exception. 


The "null" 
selector 
is a special 
type of 
segment selector. It has an index field of all 
zeros and a table indicator of O. The null 
selector appears to refer to GDT descriptor 
entry #0. This selector value may be used as 
a place holder in the DS or ES segment regis- 
ters; it may be loaded into them without 
causing an exception. However, any attempt 
to use the null segment registers to reference 
memory will cause an exception and prevent 
any memory cycle from occurring. 


7.3 
PRIVILEGE LEVELS AND PROTECTION 


As explained in section 6.2, each task has its 
own separate virtual address space defined by 
its LDT. All tasks share a common address 
space defined 
by the GDT. 
The system 
software then has direct access to task data 
and can treat all pointers in the same way. 


Protection is required to prevent programs 
from improperly 
using code or data that 
belongs to the operating system. The four 
privilege levels of the iAPX 286 provide the 
isolation needed between the various layers of 
the system. The iAPX 286 privilege levels are 
numbered from 0 to 3, where 0 is the most 
trusted level, 3 the least. 


Privilege 
level is a protection 
attribute 
assigned to all segments. It determines which 
procedures 
can access the segment. 
Like 
access rights and limit checks, privilege checks 


. 


and 
thus 
protects 
both 
data 
and 
code 
segments. 


Privilege on the iAPX 286 is hierarchical. 
Operating 
system code and data segments 
placed at the most privileged level (0) cannot 
be accessed directly by programs at other 
privilege levels. Programs at privilege level 0 
may access data at all other levels. Programs 
at privilege levels 1-3 may only access data at 
the same or less trusted (numerically greater) 
privilege levels. Figure 7-6 illustrates 
the 
privilege level protection 
of code or data 
within tasks. 


In figure 7-6, programs can access data at the 
same or outer level, but not at inner levels. 
Code and data segments placed at level 1 
cannot be accessed by programs executing at 
levels 2 or 3. Programs at privilege level 0 can 
access data at level 1 in the course of provid- 
ing service to that level. iAPX 286 provides 
mechanisms for inter-level transfer of control 
when needed (see section 7.5). 


The four privilege levels of the iAPX 286 are 
an extension of the typical two-level user/ 
supervisor privilege mechanism. 
Like user 
mode, application programs in the outer level 
are not permitted 
direct 
access 
to data 
belonging to more privileged system services 
(supervisor mode). The iAPX 286 adds two 
more privilege levels to provide protection for 
different layers of system software (system 
services, I/O drivers, etc.). 


7.3.1 
Example of Using Four Privilege 
Levels 


Two extra privilege levels allow development 
of more reliable, and flexible system software. 
This is achieved by dividing the system into 
small, independent units. Figure 7-6 shows an 
example of the usage of different protection 
levels. Here, the most privileged level is called 


the kernel. This software would provide basic, 
application-independent, 
CPU-oriented 


services 
to all tasks. 
Such 
services 
include 


memory 
management, 
task 
isolation, 
multi- 


tasking, 
inter-task 
communication, 
and I/O 


resource 
control. 
Since 
the 
kernel 
is only 


concerned 
with simple functions 
and cannot 


be affected 
by software 
at 
other 
privilege 


levels, it can be kept small, safe, and under- 
standable. 


Privilege 
level 
one 
is designated 
system 


services. 
This 
software 
provides 
high-level 


functions 
like file access scheduling, 
charac- 


ter I/O, 
data 
communcations, 
and resource 


allocation 
policy 
which 
are 
commonly 


expected 
in 
all 
systems. 
Such 
software 


remains 
isolated 
from applications 
programs 
and relies on the services 
of the kernel, 
yet 
cannot affect the integrity 
of level O. 


Privilege 
level 
2 is the 
custom 
operating 
system 
extensions 
level. 
It 
allows 
standard 
system 
software 
to be customized. 
Such 
customizing 
can be kept isolated 
from errors 
in applications 
programs, 
yet cannot affect the 
basic 
integrity 
of 
the 
system 
software. 


Examples of customized 
software are the data 
base manager, 
logical file access services, etc. 


This is just one example of protection 
mecha- 
nism usage. 
Levels 
I and 2 may be used in 
many 
different 
ways. 
The 
usage 
(or 
non- 
usage) is up to the system designer. 


Programs 
at each privilege 
level are isolated 


from 
programs 
at outer 
layers, 
yet 
cannot 


affect 
programs 
in inner 
layers. 
Programs 


written for each privilege level can be smaller, 
easier to develop, and easier to maintain 
than 


a monolithic system where all system software 
can affect all other system software. 


7.3.2 Privilege Usage 


Privilege 
applies 
to tasks and three 
types of 
descriptors: 


1. 
Main memory 
segments 


2. 
Gates (control descriptors 
for state or task 


transitions, 
discussed 
in sections 
7.5.1, 
7.5.3, 8.3, 8.4 and 9.2) 


3. 
Task 
state 
segments 
(discussed 
In 


Chapter 
8). 


Task privilege is a dynamic value. It is derived 
from 
the 
code 
segment 
currently 
being 


executed. 
Task 
privilege 
can change 
only 


when a control 
transfers 
to a different 
code 


segment. 


Descriptor 
privilege, 
including 
code segment 


privilege, is assigned when the descriptor 
(and 


any 
associated 
segment) 
is created. 
The 


system 
designer 
assigns 
privilege 
directly 


when 
the 
system 
is constructed 
with 
the 


system 
builder 
(see the iAPX 
286 Builder 


User's Guide) or indirectly 
via a loader. 


Each task operates 
at only one privilege level 


at any given moment: 
namely that of the code 


segment 
being 
executed. 
(The 
conforming 


segments 
discussed 
in section 
11.2 permit 


some flexibility 
in this regard.) 
However, 
as 


figure 
7-5 indicates, 
the 
task 
may 
contain 


segments 
at one, two, three, or four levels, all 


of which are to be used at appropriate 
times. 
The privilege level of the task, then, changes 
under the carefully 
enforced 
rules for trans- 


fer of control 
from 
one 
code 
segment 
to 


another. 


The descriptor 
privilege 
attribute 
is stored in 


the access byte of a descriptor 
and is called 
the Descriptor 
Privilege 
Level (DPL). 
Task 


privilege is called the Current 
Privilege 
Level 
(CPL). 
The least significant 
two bits of the 


CS register 
specify the CPL. 


A few general rules of privilege can be stated 
before 
the 
detailed 
discussions 
of 
later 


sections. 
Data 
access 
is restricted 
to those 


segments 
whose privilege level is the same or 


less privileged 
(numerically 
greater) 
than the 


current 
privilege 
level 
(CPL). 
Direct 
code 


access, e.g., via call or jump, 
is restricted 
to 


code 
segments 
of equal 
privilege. 
A gate 


(section 
7.5.1) is required 
for access to code 


at more privileged 
levels. 


7.4 SEGMENT DESCRIPTOR 


Although 
the format 
of access control 
infor- 
mation, 
discussed 
below, is similar 
for both 


data and code segment 
descriptors, 
the rules 


for accessing data segments 
differ from those 


for transferring 
control 
to code 
segments. 


Data 
segments 
are 
meant 
to be accessible 


from many 
privilege 
levels, e.g., from 
other 
programs 
at 
the 
same 
level 
or 
from 
deep 


within 
the 
operating 
system. 
The 
main 


restriction 
is that they cannot 
be accessed 
by 


less privileged code. 


Code segments, 
on the other hand, are meant 


to be executed 
at 
a single 
privilege 
level. 


Transfers 
of control 
that 
cross 
privilege 


boundaries 
are tightly restricted, 
requiring 
the 


use of gates. Control 
transfers 
within a privi- 
lege level can also use gates, but they are not 
required. 
Control 
transfers 
are discussed 
in 


section 7.5. 


Protection 
checks 
are automatically 
invoked 


at several points 
in selecting 
and using new 


segments. 
The process of addressing 
memory 


begins when the currently 
executing 
program 


attempts 
to load 
a selector 
into one of the 


segment 
registers. 
As discussed 
in Chapter 
6, 


the selector has the form shown in figure 7-7. 


When a new selector is loaded into a segment 
register, 
the processor 
accesses the associated 


descriptor 
to perform 
the necessary 
loading 


and privilege checks. 


The protection 
mechanism 
verifies 
that 
the 


selector 
points to a valid descriptor 
type for 


the segment 
register (see section 7.4.1). After 


verifying 
the 
descriptor 
type, 
the 
CPU 
compares the privilege level of the task (CPL) 
to the privilege level in the descriptor 
(DPL) 
before 
loading 
the 
descriptor's 
information 
into the cache. 


The general 
format 
of the eight 
bits in the 
segment 
descriptor's 
access 
rights 
byte 
is 
shown in table 7-1. 
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BITS 
NAME 
FUNCTION 


1·0 
REQUESTED 
INDICATES 
SELECTOR 
PRIVILEGE 


PRIVILEGE 
LEVEL DESIRED 
LEVEL (RPL) 


2 
TABLE 
TI 
~ 
0 USE GLOBAL 
DESCRIPTOR TABLE 


INDICATOR 
(GDT) 
(TI) 


TI 
~ 
1 USE LOCAL 
DESCRIPTOR 
TABLE 


(LDT) 


15·3 
INDEX 
SELECT DESCRIPTOR ENTRY BY TABLE 


Bit 
Name 
Description 


7 
Present 
1 means Present and addressable in real memory; a means not 
present. See section 11.3. 


6,5 
DPL 
2-bit Descriptor Privilege Level, a to 3. 


4 
Segment 
1 means Segment descriptor; a means control descriptor. 


For Segment= 1, the remaining bits have the following meanings: 


3 
Executable 
1 means code, a means data. 


2 
C or ED 
If code, Conforming: 1 means yes, a no. 
If data, Expand Down: 1 yes, a no-normal 
case. 


1 
R orW 
If code, Readable: 1 means readable, a not. 
If data, Writable: 1 means writable, a not. 


a 
Accessed 
1 if segment descriptor has been Accessed, a if not. 


NOTE: When the Segment bit (bit 4) is 0, the descriptor is for a gate, a task state segment, or a Local Descriptor 
Table, and the meanings of bits a through 3 change. Control transfers and descriptors are discussed in 
section 7.5. 


For example, 
the access rights byte for a data 
and code segment 
present in real memory 
but 


not yet accessed (at the same privilege 
level) 
are shown in figure 7-8. 


Whenever 
a segment 
descriptor 
is loaded into 
a segment 
register, 
the 
accessed 
bit in the 
descriptor 
table is set to I. This bit is useful 


for 
determining 
the 
usage 
profile 
of the 
segment. 


The Intel 
reserved 
bytes 
in the segment 


descriptor 
must be set to 0 for compati- 


bility with iAPX 386. 


7.4:1 Data Accesses 


Data 
may be accessed 
in data 
segments 
or 


readable 
code segments. 
When 
DS or ES is 
loaded with a new selector, 
e.g., by an LDS, 
LES, or MOV to ES, SS, or DS instruction, 


the 
bits in the 
access 
byte 
are 
checked 
to 
verify 
legitimate 
descriptor 
type 
and 
access 
(see table 7-2). If any test fails, an error code 
is pushed onto the stack identifying 
the selec- 


tor involved (see figure 7-5 for the error code 
format). 


A privilege check is made when the segment 
register is loaded. In general, a data segment's 
DPL 
must 
be numerically 
greater 
than 
or 
equal to the CPL. 
The DPL 
of a descriptor 


loaded 
into 
the 
SS must 
equal 
the 
CPL. 


Conforming 
(readable) 
code segments 
are an 


exception 
to privilege checking 
rules. 


Once the segment 
descriptor 
and selector 
are 


loaded, 
the 
offset 
of subsequent 
accesses 
within 
the segment 
are checked 
against 
the 


limit given in the segment 
descriptor. 
Violat- 


ing the segment 
size limit causes 
a General 


Protection 
exception 
with an error code of O. 
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0 I 
I 


1 
01 
1 
0 
0 
0 I 


7 
0 
7 
0 


Readable 
Code 
Segment 
Writable 
Code 
Segment 


Allowed 
Segment Types 


Segment Register 
Read Only 
Read-Write 
Execute 
Only 
Execute-Read 


Data Segment 
Data Segment 
Code Segment 
Code Segment 


OS 
Yes 
Yes 
No 
Yes 


ES 
Yes 
Yes 
No 
Yes 


SS 
No 
Yes 
No 
No 


CS 
No 
No 
Yes 
Yes 


A normal 
data 
segment 
is addressed 
with 


offset values ranging 
from 0 to the size of the 


segment. When the ED bit of the access rights 
byte 
in the 
segment 
descriptor 
is 0, the 


allowed range of offsets is OOOOHto the limit. 
If limit is OFFFFH, 
the data segment contains 


65536 bytes. 


Since stacks normally 
occupy different 
offset 


ranges 
(lower 
limit 
to OFFFFH) 
than 
data 


segments, 
the 
limit 
field 
of 
a 
segment 


descriptor 
can be interpreted 
in two ways. The 


Expand 
Down 
(ED) 
bit in the 
access 
byte 


allows offsets for stack segments to be greater 
than 
the 
limit 
field. 
When 
ED 
is I, the 


allowed range of offsets within the segment 
is 
limit + I to OFFFFH. 
To allow a full stack 


segment, 
set 
ED 
to 
I and 
the 
limit 
to 


OFFFFH. 
The 
ED 
bit 
of a data 
segment 


descriptor 
does not have to be set for use in 


SS (i.e., 
it will 
not 
cause 
an exception). 


Section 
7.5.4 discusses 
stack 
segment 
usage 


in greater 
detail. 
An expand 
down (ED= 
I) 


segment 
can be loaded into ES or DS. 


Limit and access checks are performed 
before 


any memory 
reference 
is started. 
For stack 


push instructions 
(PUSH, 
PUSHA, 
ENTER, 


CALL, 
INT), 
a possible 
limit 
violation 
is 


identified 
before 
any 
internal 
registers 
are 


updated. 
Therefore, 
these 
instructions 
are 


fully restartable 
after a stack size violation. 


7.4.2 
Code Segment Access 


Code 
segments 
are 
accessed 
via 
CS 
for 


execution. Segments 
that are execute-only 
can 
ONL Y be executed; 
they cannot 
be accessed 


via DS or ES, nor read 
via CS with 
a CS 


override prefix. If a segment is executable 
(bit 


3 = I in the access byte), access via DS or ES 
is possible 
only if it is also readable. 
Thus, 
any code segment that also contains data must 
be readable. 
(Refer 
to Chapter 
2 for a discus- 


sion of segment 
override 
prefixes.) 


An 
execute-only 
segment 
preserves 
the 
privacy 
of the code against 
any attempt 
to 
read 
it; such 
an 
attempt 
causes 
a general 
protection 
fault 
with an error 
code of O. A 
code segment cannot be loaded into SS and is 
never 
writable. 
Any 
attempted 
write 
will 
cause a general 
protection 
fault with an error 
code of O. 


The limit field of a code segment 
descriptor 
identifies 
the last byte in the segment. 
Any 
offset greater 
than the limit value will cause 
general 
protection. 
The 
prefetcher 
of the 
iAPX 
286 can never cause 
a code segment 
limit violation. 
The program 
must attempt 
to 
execute 
an instruction 
beyond 
the end of the 
code segment 
to cause an exception. 


If a readable 
non-conforming 
code segment 
is 
to be loaded into DS or ES, the privilege level 
requirements 
are the same as those stated 
for 
data segments 
in 7.4.1. 


Code segments 
are subject 
to different 
privi- 
lege checks when executed. 
The normal 
privi- 
lege requirement 
for a jump or call to another 
code segment is that the current 
privilege level 
equal the descriptor 
privilege level of the new 
code 
segment. 
Jumps 
and 
calls 
within 
the 
current 
code segment 
automatically 
obey this 
rule. 


Return 
instructions 
may pass control 
to code 
segments 
at the 
same 
or less (numerically 
greater) 
privileged 
level. Code 
segments 
at 
more privileged 
levels may only be reached 
via a call through 
a call gate as described 
in 
section 7.5. 


An exception 
to this, previously 
stated, 
is the 
conforming 
code segment that allows the DPL 
of the requested 
code segment 
to be numeri- 
cally less than (of greater 
privilege 
than) 
the 
CPL. 
Conforming 
code 
segments 
are 
discussed 
in section 
11.2. 


Privilege Level 


This 
section 
describes 
privilege 
verification 


when accessing either data segments 
(loading 


segment 
selectors 
into 
DS, 
ES, 
or SS) 
or 


readable 
code segments. 
Privilege verification 


when loading CS for transfer 
of control across 


privilege levels is described 
in the next section. 


Three basic kinds of privilege level indicators 
are used when determining 
accessibility 
to a 


segment 
for reading 
and writing. 
They 
are 


termed 
Current 
Privilege 
Level 
(CPL), 
Descriptor 
Privilege 
Level 
(DPL), 
and 


Requested 
Privilege 
Level (RPL). 
The CPL 


is simply 
the 
privilege 
level 
of the 
code 


segment 
that 
is executing 
(except 
if the 


current 
code 
segment 
is conforming). 
It 
is 
stored 
as bits 
0 and 
I of the 
CS 
and 
SS 


registers. 


DPL is the privilege level of the segment; 
it is 
stored in bits 5 and 6 of the access byte of a 
descriptor. 
For data 
access to data 
segments 


and non-conforming 
code 
segments, 
CPL 


must be numerically 
less than or equal to DPL 


(the task must 
be of equal 
or greater 
privi- 
lege) for access to be granted. 
Violation of this 
rule during segment 
load instruction 
causes a 


general 
protection 
exception 
with 
an 
error 


code identifying 
the selector. 


While 
the 
enforcement 
of DPL 
protection 


rules provides 
the mechanism 
for the 
isola- 


tion of code and data 
at different 
privilege 


levels, 
it is conceivable 
that 
an erroneous 


pointer 
passed 
onto a more trusted 
program 


might result in the illegal modification 
of data 
with a higher 
privilege 
level. This possibility 
is prevented 
by the enforcement 
of effective 


privilege 
level 
protection 
rules 
and 
correct 


usage of the RPL value. 


The RPL 
(requested 
privilege 
level) is used 


for pointer 
validation. 
It is the least 
signifi- 


the 
segment 
register. 
RPL 
is intended 
to 


indicate the privilege level of the originator 
of 


that selector. A selector 
may be passed down 


through 
several procedures 
at different 
levels. 


The 
RPL 
reflects 
the privilege 
level of the 


original supplier of the selector, 
not the privi- 
lege level of the intermediate 
supplier. 
The 


RPL must be numerically 
less than 
or equal 


to the DPL of the descriptor 
selected, 
thereby 


indicating 
greater 
or equal 
privilege 
of the 
supplier; 
otherwise, 
access 
is denied 
and 
a 


general 
protection 
violation 
occurs. 


Pointer 
validity 
testing 
is required 
in any 


system 
concerned 
with 
preventing 
program 


errors 
from destroying 
system 
integrity. 
The 


iAPX 
286 provides 
hardware 
support 
for 


pointer 
validity 
testing. 
The 
RPL 
field 
indicates 
the privilege 
level of the originator 


of the pointer to the hardware. 
Access will be 


denied if the originator 
of the pointer 
did not 


have access to the selected 
segment 
even if 


the CPL is numerically 
less than or equal to 


the DPL. RPL can reduce the effective 
privi- 
lege of a task when using a particular 
selec- 
tor. 
RPL 
never 
allows 
access 
to 
more 


privileged segments (CPL must always be less 
than or equal to DPL). 


A fourth 
term 
is sometimes 
used: the Effec- 
tive Privilege Level (EPL). 
It is defined as the 


numeric 
maximum 
of the 
CPL 
and 
the 


RPL-meaning 
the 
one of lesser 
privilege. 


Access to a protected 
entity 
is granted 
only 


when the 
EPL 
is numerically 
less than 
or 


equal to the DPL of that entity. This is simply 
another 
way of saying 
that 
both 
CPL 
and 
RPL must be less than 
or equal 
to DPL for 


access to be granted. 


7.4.4 
Pointer Privilege Stamping via ARPL 


The 
ARPL 
instruction 
is provided 
in the 


iAPX 
286 to fill the RPL 
field of a selector 


with 
the 
minimum 
privilege 
(maximum 


numeric 
value) of the selector's 
current 
RPL 


and the caller's 
CPL (given in an instruction- 


specified register). 
A straight 
insertion 
of the 


caller's CPL would mark the pointer with the 
privilege level of the caller, but not necessar- 
ily the ultimate 
originator 
of the selector (e.g., 
Level 3 supplies a selector to a level 2 routine 
that 
calls 
a level 0 routine 
with 
the 
same 


selector). 


Figure 7-9 shows a program 
with an example 


of such a situation. 
The program 
at privilege 


level 3 calls a routine 
at level 2 via a gate. 
The routine at level 2 uses the ARPL 
instruc- 


tion to assure 
that 
the selector's 
RP 
is 3. 
When 
the level 2 routine 
calls a routine 
at 


level 0 and 
passes 
the 
selector, 
the 
ARPL 


instruction 
at level 0 leaves 
the 
RPL 
field 


unchanged. 


Marking 
a pointer with the originator's 
privi- 


lege 
eliminates 
the 
complex 
and 
time- 


consuming 
software 
typically 
associated 
with 


pointer 
validation 
in less 
comprehensive 


architectures. 
The 
iAPX 
286 
hardware 


performs 
the pointer test automatically 
while 


loading the selector. 


Privilege 
errors 
are trapped 
at the time 
the 


selector 
is 
loaded 
because 
pointers 
are 


commonly 
passed 
to other 
routines, 
and 
it 


may 
not be possible 
to identify 
a pointer's 


originator. 
To verify the access capabilities 
of 


a pointer, it should be tested when the pointer 
is first received from an untrusted 
source. The 
VERR 
(Verify 
Read), 
VERW 
(Verify 


Write), 
and 
LAR 
(Load 
Access 
Rights) 
instructions 
are provided for this purpose. 


Although 
pointer validation 
is fully supported 
in the iAPX 
286, its use is an option 
of the 
system 
designer. 
To 
accommodate 
systems 
that do not require it, RPL can be ignored by 
setting 
selector 
RPLs 
to zero 
(except 
stack 
segment 
selectors) 
and 
not 
adjusting 
them 
with the ARPL 
instruction. 


Three 
kinds 
of control 
transfers 
can 
occur 
within a task: 


1. 
Within 
a segment, 
causing 
no change 
of 
privilege 
level 
(a short 
jump, 
call, 
or 
return). 


2. 
Between 
segments 
at the same privilege 
level (a long jump, call, or return). 


3. 
Between 
segments 
at different 
privilege 
levels (a long call, or return). 
(NOTE: 
A 
JUMP 
to a different 
privilege level is not 
allowed.) 


The first two types of control 
transfers 
need 
no special controls 
(with 
respect 
to privilege 
protection) 
beyond 
those 
discussed 
in 
section 7.4. 


Level 
3 
PUS 
H 
SELECTOR 
C ALL 
LEVEL 
2 


Level 
2 : 


ENTER 
4 I 0 
MOV 
A X I 
[B 
P J • 4 
GET 
CS 
of 
return 
address 
ARPL 
[ B P J • 8, 
A X 
Put 
3 
1 n 
RPL 
fie 
I d 


Level 
2 


PUSH 
WORD 
PH 
[ B P J .8 
Pas 
s 
selector 
CALL 
Level 
0 


Level 
o : 
ENTER 
6 • 0 


Level 
0 
MOV 
A X • 
[ B P J • 4 
; 
Get 
CS 
of 
return 
address 


ARPL 
[B 
P J • 8. 
A X 
; 
Leaves 
RPL 
unchanged 


Inter-level 
transfers 
require 
special consider- 


ation 
to 
maintain 
system 
integrity. 
The 


protection 
hardware 
must check that: 


• 
The task is currently 
allowed to access the 


destination 
address. 


• 
The correct 
entry address 
is used. 


To 
achieve 
control 
transfers, 
a 
special 


descriptor 
type called 
a gate 
is provided 
to 


mediate 
the change in privilege level. Control 


transfer 
instructions 
call the gate rather 
than 


transfer 
directly 
to a code segment. 
From the 


viewpoint 
of the program, 
a control 
transfer 


to a gate 
is the 
same 
as to another 
code 


segment. 


Gates allow programs 
to use other programs 


at more privileged 
levels in the same manner 


as a program 
at 
the 
same 
privilege 
level. 


Programmers 
need never distinguish 
between 


programs 
or subroutines 
that are more privi- 


leged than the current 
program 
and those that 


are not. The system 
designer 
may, however, 
elect to use gates only for control 
transfers 


that cross privilege levels. 


7.5.1 Gates 


A gate 
is a four-word 
descriptor 
used 
to 


redirect 
a control transfer 
to a different 
code 


segment 
in the same or more privileged 
level 


or to a different 
task. There are four types of 


gates: call, trap, interrupt, 
and task gates. The 


access rights byte distinguishes 
a gate from a 


segment 
descriptor, 
and determines 
which 


type of gate is involved. Figure 7-10 shows the 
format 
of a gate descriptor. 


A key feature 
of a gate is the re-direction 
it 


provides. 
All four 
gate 
types 
define 
a new 


address which transfers 
control when invoked. 
This destination 
address 
normally 
cannot 
be 


accessed 
by a program. 
Loading 
the selector 


to a call gate into SS, DS, or ES will cause a 
general 
protection 
fault 
with 
an error 
code 


identifying 
the invalid selector. 


Only the selector portion of an address is used 
to invoke a gate. The offset is ignored. All that 
a program 
need 
know 
about 
the 
desired 
function 
is the selector required 
to invoke the 


gate. The iAPX 
286 will automatically 
start 
the execution 
at the correct 
address. 


A further 
advantage 
of a gate 
is that 
it 


provides a fixed address 
for any program 
to 
invoke 
another 
program. 
The 
calling 
program's 
address 
remains 
unaltered 
even if 
the entry address 
of the destination 
program 
changes. 
Thus, 
gates 
provide 
a fixed 
set of 


entry 
points 
that 
allow 
a task 
to 
access 


Operating 
System 
functions 
such 
as simple 
subroutines, 
yet the task 
is prohibited 
from 
simply 
jumping 
into 
the 
middle 
of 
the 


Operating 
System. 


Call gates, 
as described 
in the next section, 


are used for control 
transfers 
within 
a task 
which must either be transparently 
redirected 
or which require an increase in privilege level. 
A call gate normally 
specifies a subroutine 
at 
a greater privilege level, and the called routine 
returns via a return instruction. 
Call gates also 
support 
delayed 
binding 
(resolution 
of target 
routine 
addresses 
at run-time 
rather 
than 


program-generation-time 
). 


Trap 
and 
interrupt 
gates 
handle 
interrupt 
operations 
that 
are to be serviced 
within 
the 
current 
task. Interrupt 
gates cause interrupts 


to be disabled; 
trap 
gates 
do not. Trap 
and 
interrupt 
gates both require 
a return 
via the 
interrupt 
return 
instruction. 


Task 
gates 
are 
used 
to control 
transfers 


between 
tasks and to make use of task state 
segments 
for task 
control 
and 
status 
infor- 
mation. 
Tasks 
are 
discussed 
in Chapter 
8, 


interrupts 
in Chapter 
9. 


In the 
iAPX 
286 
protection 
model, 
each 


privilege level has its own stack. Therefore, 
a 


control transfer 
(call or return) 
that changes 
the privilege 
level causes 
a new stack 
to be 


invoked. 


7.5.1.1 
CALL GATES 


Call 
gate 
descriptors 
are 
used 
by call 
and 


jump 
instructions 
in the same 
manner 
as a 


code 
segment 
descriptor. 
The 
hardware 


automatically 
recognizes 
that the destination 


selector refers to a gate descriptor. 
Then, the 
operation 
of the 
instruction 
is expanded 
as 
determined 
by the contents 
of the call gate. 


A jump instruction 
can access a call gate only 


if the 
target 
code 
segment 
is at the 
same 


07 
0 


+7 
INTEL RESERVED' 
+6 


+5 
P 
+4 


+3 
X 
X 
+2 


+1 
DESTINATION 
OFFSET 15.0 
0 


15 
8 
7 
0 


.MUST BE SET TO 0 FOR 
COMPATIBILITY 
WITH IAPX 386 


privilege 
level. A call instruction 
uses a call 
gate for the same or more privileged 
access. 


A call gate descriptor 
may reside in either the 
GDT or the LDT, but not in the IDT. Figure 
7-10 gives the complete 
layout 
of a call gate 
descriptor. 


A call gate can be referred 
to by either 
the 
long JMP 
or CALL 
instructions. 
From 
the 
viewpoint of the program 
executing 
a JMP or 
CALL 
instruction, 
the fact that 
the destina- 
tion 
was 
reached 
via 
a call 
gate 
and 
not 
directly 
from the destination 
address 
of the 
instruction 
is not apparent. 


Name 
Value 
Description 


4 
-Call 
Gate 


TYPE 
5 
-Task 
Gate 
6 
-Interrupt 
Gate 
7 
-Trap 
Gate 


P 
0 
-Descriptor 
Contents are 
not valid 
1 
-Descriptor 
Contents are 
valid 


DPL 
0-3 
Descriptor Privilege Level 


WORD 
Number of words to copy 
COUNT 
0-31 
from callers stack to called 
procedures 
stack. 
Only 
used with call gate. 


Selector to the target code 


DESTINATION 
16-bit 
segment (Call, Interrupt or 


SELECTOR 
selector Trap Gate) 
Selector to the target task 
state segment (Task Gate) 


DESTINATION 
16-bit 
Entry 
point 
within 
the 
OFFSET 
offset 
target code segment 


DPL (in the access byte) 
is checked 
against 
the EPL (MAX 
(task 
CPL, 
selector 
RPL». 
If EPL > CPL, 
the program 
is less privi- 
leged than the gate and therefore 
it may not 
make 
a transition. 
In this 
case, 
a general 
protection 
fault 
occurs 
with 
an error 
code 


identifying 
the gate. 
Otherwise, 
the gate 
is 


accessible 
from 
the 
program 
executing 
the 


call, 
and the control 
transfer 
is allowed 
to 


continue. 
After 
the 
privilege 
checks, 
the 


descriptor 
presence 
is checked. 
If the present 


bit of the gate access rights byte is 0 (i.e., the 
target code segment is not present), 
no present 


fault occurs with an error code identifying 
the 


gate. 


The checks indicated 
in table 7-3 are applied 


to the contents 
of the call gate. Violating 
any 


of them causes the exception 
shown. The low 


order two bits of the error 
code are zero for 


these exceptions. 


7.5.1.2 
INTRA·LEVEL 
TRANSFERS 
VIA CALL GATE 


The transfer 
is Intra-level 
if the destination 


code segment 
is at the same privilege level as 


CPL. 
Either 
the 
code 
segment 
is 
non- 


conforming 
with 
DPL 
= CPL 
or 
it 
is 


conforming, 
with DPL 
~ 
CPL 
(see section 


11.2 for this 
case). 
The 
32-bit 
destination 


address in the gate is loaded into CS:IP. 


- 


tion 
checks 
performed 
while 
transferring 
control (with the CALL 
instruction) 
through 
a call gate: 


• 
Verifying 
that 
access to the call gate 
is 
allowed. 
One of the protection 
features 
provided by call gates is the access checks 
made to determine 
if the call gate 
may 
be used (i.e., checking if the privilege level 
of the calling program 
is adequate). 


• 
Determining 
the destination 
address 
and 
whether 
a privilege transition 
is required. 


This feature 
makes 
privilege 
transitions 
transparent 
to the caller. 


• 
Performing 
the 
privilege 
transition, 
if 
required. 


Verifying 
access to a call gate is the same for 
any call gate and is independent 
of whether 
a 
JMP or CALL instruction 
was used. The rules 
of privilege used to determine 
whether 
a data 
segment 
may 
be accessed 
are 
employed 
to 
check 
if a call 
gate 
may 
be jumped-to 
or 
called. 
Thus, 
privileged 
subroutines 
can 
be 
hidden 
from 
untrusted 
programs 
by 
the 
absence of a call gate. 


When 
an 
inter-segment 
CALL 
or 
JMP 
instruction 
selects a call gate, the gate's privi- 


~ 


Type of Check 
Faultl') 
Error Code 


Selector is not Null 
GP 
0 
Selector is within Descriptor Table Limit 
GP 
Selector ID 
Descriptor is a Code Segment 
GP 
Code segment 


Code Segment is Present 
NP 
Code Segment id 
Nonconforming Code Segment 
GP 
Code Segment id 
DPL> 
CPL 


NOTES; 


(1) GP = General Protection, NP = Not-Present Exception. 


If the IP value is not within 
the limit of the 
code 
segment, 
a general 
protection 
fault 
occurs 
with an error 
code of O. If a CALL 


instruction 
is used, the return 
address is saved 


in the normal 
manner. 
The only effect of the 


call gate is to place a different 
address 
into 
CS:IP 
than 
that 
specified 
in the destination 
address of the JMP or CALL instruction. 
This 


feature 
is useful 
for systems 
which 
require 


that a fixed address be provided to programs, 
even though the entry address 
for the routine 
may 
change 
due 
to 
different 
functions, 
software 
changes, 
or segment 
relocation. 


7.5.1.3 
INTER-LEVEL CONTROL TRANSFER VIA 
CALL GATES 


If the destination 
code segment 
of the call 
gate is at a different 
privilege 
level than 
the 
CPL, 
an 
inter-level 
transfer 
is 
being 
requested. 
However, 
if the destination 
code 


CODE 
SEG. 


DESCR. 


segment DPL < CPL, then a general 
protec- 
tion fault occurs with an error code identify- 
ing the destination 
code segment. 


The gate guarantees 
that 
all transitions 
to a 
more privileged 
level will go to a valid entry 
point rather 
than 
possibly into the middle 
of 
a procedure 
(or worse, into the middle 
of an 
instruction). 
See figure 7-11. 


Calls 
to 
more 
privileged 
levels 
may 
be 
performed 
only through 
call gates. 
A JMP 
instruction 
can never cause a privilege change. 


Any attempt 
to use a call gate in this manner 
will cause a general 
protection 
fault with an 
error 
code identifying 
the 
gate. 
Returns 
to 
more 
privileged 
levels 
are also prohibited. 


Inter-level 
transitions 
due to interrupts 
use a 
different 
gate, as discussed 
in Chapter 
9. 


TARGET 
CODE 
SEGMENT 


The RPL field of the CS selector saved as part 
of the return 
address 
will always identify 
the 


caller's CPL. This information 
is necessary 
to 


correctly 
return 
to the caller's 
privilege 
level 


during the return instruction. 
Since the CALL 


instruction 
places the CS value on the more 


privileged stack, and JMP 
instructions 
cannot 


change privilege levels, it is not possible for a 
program to maliciously place an invalid return 
address on the caller's 
stack. 


7.5.1.4 
STACK CHANGES CAUSED BY CALL GATES 


To maintain 
system 
integrity, 
each privilege 


level has a separate 
stack. These stacks assure 


sufficient stack space to process calls from less 
privileged 
levels. 
Without 
them, 
trusted 


programs 
may not work correctly, 
especially 


if the calling program 
does not provide suffi- 


cient space on the caller's 
stack. 


When a call gate is used to change 
privilege 


levels, a new stack is selected 
as determined 


by the new CPL. The new stack pointer value 
is loaded from the Task State Segment 
(TSS). 


The 
privilege 
level 
of the 
new 
stack 
data 


segment 
must equal the new CPL; 
if it does 


not, a task stack fault occurs 
with the saved 


machine 
state pointing 
at the CALL 
instruc- 


tion and the error code identifying 
the invalid 


stack selector. 


The new stack should 
contain 
enough 
space 


to hold the return 
address, 
and all parameters 


. and local variables required to process the call. 
The initial 
stack pointers 
for privilege 
levels 


0-2 in the TSS are strictly 
read only values. 
They are never changed 
during 
the course of 


execution. 


The normal technique 
for passing parameters 


to a subroutine 
is to place them onto the stack. 
To make privilege 
transitions 
transparent 
to 


the called program, 
a call gate specifies that 


parameters 
are to be copied from the old stack 


to the new stack. 
The word count 
field in a 


call gate (see figure 7-10) specifies how many 
words (up to 31) are to be copied 
from 
the 
caller's 
stack 
to the new stack. 
If the word 
count is zero, no parameters 
are copied. 


Before copying the parameters, 
the new stack 
is checked to assure that it is large enough to 
hold the parameters; 
if it is not, a stack fault 
occurs 
with 
an error 
code 
of O. After 
the 
parameters 
are copied, 
the return 
link is on 
the new stack (i.e., a pointer 
to the old stack 
is placed in the new stack). 
In particular, 
the 


return 
address 
is pointed 
at by SS:SP. 
The 
call and return 
example 
of figure 
7-12 illus- 
trate 
the 
stack 
contents 
after 
a successful 
inter-level 
call. 


The stack pointer of the caller is saved above 
the caller's 
return 
address 
as the 
first 
two 
words pushed onto the new stack. The caller's 
stack 
can only be saved 
for calls 
to proce- 
dures at privilege levels 2, I, and o. Since level 
3 cannot 
be called 
by any procedure 
at any 


other 
privilege 
level, the 
level 
3 stack 
will 
never contain 
links to other stacks. 


Procedures 
requiring 
more than the 31 words 


for 
parameters 
that 
may 
be called 
from 


another 
privilege 
level must 
use 
the 
saved 
SS:SP 
link to access 
all parameters 
beyond 
the last word copied. 


The call gate does not check the values of the 
words copied onto the new stack. The called 
procedure 
should 
check 
each 
parameter 
for 
validity. 
Section 
11.3 
discusses 
how 
the 


ARPL, 
VERR, 
VERW, 
LSL, 
and 
LAR 
instructions 
can be used 
to check 
pointer 


values. 


7.5.2 Inter-level Returns 


An inter-segment 
return 
instruction 
can also 


change 
levels, but only toward 
programs 
of 


OLD SS 


OLD SP 


PARM 3 


PARM 2 


PARM 1 


OLD CS 


OLDIP 


equal or lesser privilege (when code segment 
DPL is numerically greater or equal than the 
CPL). The RPL of the selector popped off the 
stack by the return instruction identifies the 
privilege level to resume execution 
of the 
calling program. 


When the RET instruction encounters a saved 
CS value whose RPL > CPL, an inter-level 
return occurs. Checks shown in table 7-4 are 
made during such a return. 


The old SS:SP value is then adjusted by the 
number 
of bytes 
indicated 
in the 
RET 
instruction and loaded into SS:SP. The new 
SP value is not checked for validity. If SP is 
invalid it is not recognized until the first stack 


operation. The SS:SP value of the returning 
program 
is not saved. 
(Note: 
this value 
normally is the same as that saved in the 
TSS.) 


The last step in the return is checking the 
contents of the DS and ES descriptor regis- 
ter. If DS or ES refer to segments whose DPL 
is greater 
than the new CPL (excluding 
conforming 
code segments), 
the segment 
registers are loaded with the null selector. Any 
subsequent memory reference that attempts 
to use the segment register containing the null 
selector will cause a general protection fault. 
This prevents 
less privileged 
code from 
accessing more privileged 
data previously 
accessed by the more privileged program. 


Type of Check 
Exception' 
Error Code 


SP is not a Segment 
Limit 
SF 
0 


SP + N + 7 is not in Segment 
Limit 
SF 
0 


RPL of Return 
CS is Greater 
than CPL 
GP 
Return 
CS id 


Return CS Selector 
is not null 
GP 
Return 
CS id 


Return 
CS segment 
is within 
Descriptor 
Table 
Limit 
GP 
Return 
CS id 
Return CS Descriptor 
is a Code Segment 
GP 
Return 
CS id 
Return CS Segment 
is Present 
NP 
Return 
CS id 
DPL of Return 
Non-Conforming 
Code Segment 
= RPL of CS 
GP 
Return 
CS id 
SS Selector 
at SP + N + 6 is not Null 
SF 
Return 
SS id 
SS Selector 
at SP + N + 6 is within 
Descriptor 
Table Limit 
SF 
Return 
SS id 
SS Descriptor 
is Writable 
Data Segment 
SF 
Return 
SS id 
SS Segment 
is Present 
SF 
Return 
SS id 
SS Segment 
DPL = RPL of CS 
SF 
Return 
SS id 
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CHAPTER 8 
TASKS AND STATE TRANSITIONS 


8.1 
INTRODUCTION 


An 
iAPX 
286 
task 
is a single, 
sequential 
thread of execution. 
Each task can be isolated 
from all other tasks. There may be many tasks 
associated 
with an iAPX 
286 CPU, 
but only 
one task executes 
at any time. Switching 
the 
CPU 
from 
executing 
one task 
to executing 
another 
can occur 
as the result 
of either 
an 


interrupt 
or an inter-task 
call 
or jump. 
A 
hardware 
recognized 
data 
structure 
defines 
each task. 


The iAPX 
286 provides 
a high performance 


task switch operation 
with complete 
isolation 
between 
tasks. 
A full task-switch 
operation 
takes 
only 
22 
microseconds 
at 
8 
MHz 
(18 
microseconds 
at 
10 
MHz). 
High- 
performance, 
interrupt-driven, 
multi- 
application 
systems that need the benefits 
of 
protection 
are feasible with the 80286. 


A performance 
advantage 
and system design 
advantage 
arise 
from 
the 
iAPX 
286 task 
switch: 


• 
Faster 
task 
switch: 
A task 
switch 
is a 
single 
instruction 
performed 
by micro- 
code. Such a scheme 
is 2-3 times 
faster 
than 
an explicit 
task switch 
instruction. 
A fast task switch translates 
to a signifi- 
cant performance 
boost for heavily multi- 
tasked 
systems 
over 
conventional 
methods. 


• 
More 
reliable, 
flexible 
systems: 
The 
isolation between tasks and the high speed 
task 
switch 
allows 
interrupts 
to 
be 
handled 
by separate 
tasks 
rather 
than 
within the currently 
interrupted 
task. This 
isolation of interrupt 
handling 
code from 
normal 
programs 
prevents 
undesirable 
interactions 
between 
them. The interrupt 


system 
can become 
more 
flexible 
since 
adding an interrupt 
handler 
is as safe and 
easy as adding a new task. 


• 
Every task is protected 
from all others via 
the separation 
of address spaces described 
in Chapter 
7 (unless 
explicit 
sharing 
is 
planned in advance). 
If the address spaces 
of two tasks include 
no shared 
data, 
one 
task 
cannot 
affect 
the 
data 
of another 
task. 
Code sharing 
is always 
safe since 
code segments 
may never be written 
into. 


8.2 
TASK STATE SEGMENTS AND 
DESCRIPTORS 


Tasks are defined by a special control segment 
called 
a Task 
State 
Segment 
(TSS). 
The 
definition 
of a task includes 
its address 
space 
and execution 
state. A task is invoked (made 
active) by inter-segment 
jump or call instruc- 
tions 
whose destination 
address 
refers 
to a 
task state segment 
or a task gate. 


The Task State Segment 
(TSS) 
has a special 
descriptor. 
The Task Register 
within the CPU 
contains 
a selector 
to that 
descriptor. 
Each 
TSS 
selector 
value 
is unique, 
providing 
an 
unambiguous 
"identifier" 
for each task. Thus, 
an operating 
system can use the value of the 
TSS selector to uniquely 
identify 
the task. 


A TSS 
contains 
22 words 
that 
define 
the 
contents 
of all registers 
and flags, the initial 
stacks for privilege levels 0-2, the LDT selec- 
tor, and a link to the TSS of the previously 
executing 
task. 
Figure 
8-1 shows the layout 
of the TSS. 


Each 
TSS 
consists 
of two 
parts, 
a static 
portion 
and 
a dynamic 
portion. 
The 
static 
entries 
are never changed 
by the iAPX 
286, 
while the dynamic entries are changed by each 
task switch out of this task. The static portions 
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of this segment are the task LDT selector and 
the 
initial 
stack 
pointer 
address 
for 
levels 0-2. 


The modifiable 
or dynamic portion of the task 
state 
segment 
consists 
of all dynamically- 
variable 
and programmer-visible 
processor 
registers, 
including 
flags, 
segment 
registers, 
and the instruction 
pointer. 
It also includes 
the linkage word used to chain nested invoca- 
tions of different 
tasks. 


The 
link word 
provides 
a history 
of which 
tasks invoked others. The link word is impor- 
tant 
for restarting 
an interrupted 
task when 
the interrupt 
has been serviced. 
Placing 
the 
back link in the TSS protects it from improper 
use by the interrupt 
task. 


The stack pointer entries in the TSS for privi- 
lege levels 0-2 are static 
(i.e., never written 
during a privilege or task switch). They define 
the stack to use upon entry 
to that 
privilege 
level. When entering 
a more privileged 
level, 
the caller's stack pointer is saved on the stack 
of the new privilege 
level, not in the TSS. 
Leaving 
the privilege 
level requires 
popping 
the caller's 
return 
address 
and stack pointer 
off the current stack. The stack pointer at that 
point 
will be the 
same 
as the 
initial 
value 
loaded 
from 
the 
TSS 
upon 
entry 
to 
the 
privilege level. 


There is only one stack active at any time, the 
one defined 
by the SS and SP registers. 
The 
only other stacks that may be active are those 
at outer (less privileged) 
levels that called the 
current 
level. Stacks 
for inner 
levels cannot 
be active since outward 
(to numerically 
larger 
privilege levels) calls from inner levels are not 
allowed. 


The location of the stack pointer for an outer 
privilege level will always be found at the start 
of the stack of the inner privilege 
level called 
by that 
level. That 
stack 
may be the initial 
stack for this privilege level or an outer level. 
Look at the start 
of the stack 
for this privi- 
lege level. If the RPL of the saved SS selector 
is the privilege 
level required, 
then 
use the 
SS:SP 
value 
there. 
Otherwise, 
go to the 
beginning 
of the stack defined 
by that 
value 
and look at the saved SS:SP value there. 


8.2.1 
Task State Segment Descriptors 
A special 
descriptor 
is used 
for 
task 
state 
segments. 
This descriptor 
must be accessible 
at all times; therefore, 
it can appear 
only in 
the GDT. The access byte distinguishes 
TSS 
descriptors 
from 
data 
or 
code 
segment 
descriptors. 
When 
bits 
1 through 
4 of the 
access byte are 0001 or 0003, the descriptor 
is for a TSS. 


The complete 
layout 
of a task state 
segment 
descriptor 
is shown in figure 8-2. 


Like a data segment; 
the descriptor 
contains 


a base address and limit field. The limit must 
be 
at 
least 
002BH 
(43) 
to 
contain 
the 


minimum 
amount 
of information 
required 
for 


a TSS. A task fault will occur if an attempt 
is made 
to switch 
to a task 
whose 
TSS 


descriptor 
limit is less than 43. 


The P-bit (Present) 
flag indicates whether this 


descriptor 
contains 
currently 
valid informa- 


tion: 
I means 
yes, 0 no. A task switch 
that 


attempts 
to reference 
a not-present 
TSS 


causes a not-present 
exception 
code identify- 


ing the task state segment 
selector. 


The descriptor 
privilege level (DPL) 
controls 


use of the TSS 
by JMP 
or CALL 
instruc- 


tions. By the same reasoning 
as that for call 


gates, 
DPL 
can 
prevent 
a program 
from 


calling 
the 
TSS 
and 
thereby 
cause 
a task 


switch. Section 8.3 discusses privilege consid- 
erations during a task switch in greater 
detail. 


Bit 4 is always 
0 since 
TSS 
is a control 


segment 
descriptor. 
Control 
segments 
cannot 


be accessed 
by SS, DS, or ES. Any attempt 


to load those segment 
registers 
with a selec- 


tor that 
refers 
to a control 
segment 
causes 


general 
protection. 
This 
rule 
prevents 
the 


program 
from 
improperly 
changing 
the 


contents 
of a control segment. 


TSS descriptors 
can have two states: idle and 


busy. 
Bit 1 of the access 
byte distinguishes 


them. The distinction 
is necessary 
since tasks 


are not re-entrant; 
a busy TSS 
may not be 


invoked. 


8.3 
TASK SWITCHING 


A task switch may occur in one of four ways: 


1. 
The destination 
selector of a long JMP or 


CALL 
instruction 
refers 
to 
a 
TSS 


descriptor. 
The 
offset 
portion 
of the 


destination 
address 
is ignored. 


2. 
An IRET 
instruction 
is executed 
when 


the NT bit in the flag word = 1. The new 
task TSS selector is in the back link field 
of the current 
TSS. 


3. 
The destination 
selector of a long JMP or 


CALL 
instruction 
refers 
to a task gate. 


The 
offset 
portion 
of the 
destination 


address 
is ignored. 
The 
new task 
TSS 
selector is in the gate. (See section 8.5 for 
more information 
on task gates.) 


4. 
An interrupt 
occurs. 
This 
interrupt's 


vector refers to a task gate in the inter- 
rupt descriptor 
table. 
The new task TSS 
selector is in the gate. See section 9.4 for 
more information 
on interrupt 
tasks. 


No new instructions 
are required 
for a task 


switch 
operation. 
The 
standard 
iAPX 
86 


JMP, 
CALL, 
IRET, 
or interrupt 
operations 


perform this function. The distinction 
between 


the standard 
instruction 
and a task switch is 


made either 
by the type of descriptor 
refer- 
enced 
or by the NT 
bit in flag 
word. 
The 
choice of technique 
depends on whether 
a task 


is being 
made 
active 
or idle 
and 
whether 
return from the new task is expected. 


Using 
the call 
instruction 
to switch 
tasks 


implies a return 
is expected 
from the called 


task. The jump instruction 
implies no return 


is expected 
from the new task. 


The IRET 
instruction 
causes 
a return 
to the 


task that called this one. 


The 
task 
gate 
is the 
preferred 
method 
of 


servicing an interrupt 
in an isolated 
task. 


Access to TSS 
and task 
gate 
descriptors 
is 


restricted 
by the rules privilege level. The data 


access rules are used, thereby 
allowing 
task 


switches to be restricted to programs of suffi- 
cient privilege. Address space separation does 
not apply to TSS descriptors since they must 
be in the GDT. The access rules for inter- 
rupts are discussed in section 9.4. 


For JMP or CALL instructions that refer- 
ence a TSS or task gate, the effective privi- 
lege level of the destination selector (Le., the 
numeric maximum of the selector's RPL and 
current CPL) must be less than or equal to 
the descriptor DPL. If it is not, a general 
protection fault will occur with an error code 
identifying the descriptor. 


Once access to the TSS has been granted, the 
task switch operation involves six steps: 


1. 
Recognizing that the JMP /CALL/IRET 
instruction or interrupt 
requires a task 
switch: One of the four ways shown in 
section 8.3 must be used for this. The new 
TSS to use is defined either directly by 
the 
TSS 
descriptor 
selected 
by the 
instruction or is in the task gate. 


2. 
Checking that the current task is allowed 
to switch to the designated task: Data 
access privilege rules are applied for the 
JMP /CALL 
cases. The current 
task 
becomes the outgoing task. 


3. 
Checking that the new task is present and 
has a proper TSS limit: The new task 
becomes the incoming task. 


4. 
Saving the state of the outgoing task: The 
outgoing TSS selector is in the TR. The 
dynamic portion of the outgoing TSS is 
written 
with the corresponding 
CPU 
register values (e.g., AX, BX, CX, DX, 
SI, DI, BP, SP, ES, DS, SS, CS, IP, and 
flag register). The IP value points at the 
instruction 
following 
the one which 
caused the task switch. All errors up to 
this point are handled in the context of 


the outgoing task. The errors are restart- 
able and error handling is transparent to 
the application program. 


5. 
Load TR with the incoming task selec- 
tor, mark the incoming task's descriptor 
as busy, and set TS. 


6. 
Load the incoming task state and resume 
execution: The following registers 
are 
loaded: LDT, AX, BX, CX, DX, SI, DI, 
BP, SP, ES, DS, SS, CS, IP, and flag 
register. Any errors detected in this step 
are handled in the context of the incom- 
ing task. It will appear as if the first 
instruction of the new task had not yet 
executed. 


Note that the state of the outgoing task is 
always saved. If execution of that 
task is 
resumed, 
it will start the instruction 
that 
caused the task switch. The values of the 
registers will be the same as that when the 
task stopped running. 


Any task switch sets the Task Switched (TS) 
bit in the Machine Status Word (MSW). This 
flag is used when processor extensions such 
as the 80287 Numeric Processor Extension 
are present. 
The TS bit signals 
that 
the 
context of the processor extension may not 
belong to the current iAPX 286 task. Chapter 
11 discusses the TS bit and processor exten- 
sions in more detail. 


The checks in table 8-1 are made during the 
task switch. All the requirements shown in the 
table must be satisfied for the task switch to 
occur without an exception. For each check, 
the type of exception 
and error code are 
described. Up to and including step 3, the 
exception occurs in the context of the outgo- 
ing task. After step 3, the incoming task is 
considered valid. All exceptions occur in the 
context of the incoming task. 


Step 
Test 
Exception' 
Error Code 


1 
Incoming 
TSS descriptor 
is present 
NP 
Incoming 
TSS selector 


2 
Incoming 
TSS is idle 
GP 
Incoming 
TSS selector 


3 
Limit of incoming 
TSS greater 
than 43 
Invalid TSS 
Incoming 
TSS selector 


*** All register 
and selector 
values 
are loaded 
*** 


4 
LOT selector 
of incoming 
TSS is valid 
Invalid TSS 
Incoming 
TSS selector 
5 
LOT of incoming 
TSS is present 
Invalid TSS 
Incoming 
TSS selector 
6 
CS selector 
is valid 
. 
Invalid TSS 
Code segment 
selector 
7 
Code segment 
is present 
NP 
Code segment 
selector 
8 
Code segment 
OPL matches 
CS RPL 
Invalid TSS 
Code segment 
selector 
9 
Stack segment 
is valid 
SF 
Stack segment 
selector 
10 
Stack segment 
is writable 
data segment 
GP 
Stack segment 
selector 
11 
Stack segment 
is present 
SF 
Stack segment 
selector 
12 
Stack segment 
OPL = CPL 
SF 
Stack segment 
selector 
13 
OS/ES selectors 
are valid 
GP 
Segment 
selector 
14 
OS/ES segments 
are readable 
GP 
Segment 
selector 
15 
OS/ES segments 
are present 
NP 
Segment 
selector 
16 
OS/ES segment 
OPL 2:: CPL if not conform 
GP 
Segment 
selector 


*NP = Not-Present 
Exception 


GP = General 
Protection 
Fault 


SF = Stack Fault 


Validity 
tests 
on a selector 
ensure 
that 
the 


selector: is in the proper 
table (i.e., the LDT 


selector refers to GDT), 
lies within the bounds 


of the table, and refers to the proper 
type of 


descriptor 
(i.e., the LDT selector refers to the 


LDT descriptor). 


Note that between 
steps 3 and 4 in table 8-1 


all the registers 
are loaded. 
Several 
protec- 


tion rule violations 
may exist in the segment 


register contents. 
If the appropriate 
exception 


handler 
receives control 
in the context 
of the 


task 
causing 
the 
error, 
the 
DS 
and 
ES 


segments 
may not be accessible 
even though 


the segment registers contain non-zero values. 
These values must be saved for later 
re-use. 


When 
the 
exception 
handler 
reloads 
these 


segment 
registers, 
another 
protection 
excep- 


tion may occur unless the exception 
handler 


pre-examines 
them 
and 
fixes 
any 
potential 


problems. 


A task switch 
allows flexibility 
in the privi- 


lege level of the outgoing 
and incoming 
tasks. 


The privilege level at which execution 
resumes 


in the incoming 
task is not restricted 
by the 


privilege 
level of the outgoing 
task. 
This 
is 


reasonable 
since both tasks are isolated 
from 


each other with separate 
address 
spaces 
and 


machine 
states. 
The 
privilege 
rules 
prevent 


improper 
access to a TSS. The only interac- 


tion between 
the tasks 
is to the extent 
that 


one started 
the other 
and the incoming 
task 


may restart 
the outgoing 
task while executing 
an IRET 
or RET instruction. 


8.4 
TASK LINKING 


The TSS has a field called "back link" which 
contains the selector of the TSS of a task that 
should 
be restarted 
when 
the 
current 
task 


completes. 
The 
back 
link field 
of an inter- 


rupt-initiated 
task 
is automatically 
written 


with the TSS selector of the interrupted 
task. 


A task switch initiated by a CALL instruc- 
tion also points the back link at the outgoing 
task's TSS. Such task nesting is indicated to 
programs via the Nested Task (NT) bit in the 
flag word of the incoming task. 


Task 
nesting 
is necessary 
for interrupt 
functions to be processed as separate tasks. 
The interrupt function is thereby isolated from 
all other tasks in the system. To restart the 
interrupted 
task, 
the 
interrupt 
handler 
executes an IRET instruction much in the 
same manner 
as an iAPX 
86 interrupt 
handler. The IRET instruction will then cause 
a task switch to the interrupted task. 


Completion of a task occurs when the IRET 
instruction is executed with the NT bit in the 
flag word set. The NT bit is automatically 
set/reset by task switch operations as appro- 
priate. Executing an IRET instruction with 
NT cleared causes the normal iAPX 86 inter- 
rupt return function to be performed. 


Executing IRET with NT set causes a task 
switch to the task defined by the back link 
field of the current TSS. The selector value is 
fetched and verified as pointing to a valid, 
accessible 
TSS. The normal 
task switch 
operation described in section 8.3 then occurs. 


After the task switch is complete, the outgo- 
ing task is now idle and considered ready to 
process another interrupt. 


Table 8-2 shows how the busy bit, NT bit, 
and link word of the incoming and outgoing 
task are affected by task switch operations 
caused 
by 
JMP, 
CALL, 
or 
IRET 
instructions. 


Violation of any of the busy bit requirements 
shown in table 8-2 causes a general protec- 
tion fault 
with the saved machine 
state 
appearing 
as if the instruction 
had 
not 
executed. The error code identifies the selec- 
tor of the TSS with the busy bit. 


A bus lock is applied during the testing and 
setting of the TSS descriptor 
busy bit to 
ensure that two processors do not invoke the 
same task at the same time. See also section 
11.4 for other multi-processor considerations. 


The linking order of tasks can be changed by 
trusted software that can correctly change the 
back link field in a TSS and busy bit of the 
descriptor. Such changes are necessary if the 
software wants to restart a task interrupted 
by another task after the interrupted 
task 
requests some time-consuming function. 


JMP 
CALL/INT 
IRET 
Affected Field 
Instruction 
Instruction 
Instruction 
Effect 
Effect 
Effect 


Busy bit of incoming task TSS descriptor 
Set, must be 
Set, 
must 
be 
0 
Unchanged, 
o before 
before 
must be set 


Busy bit of outgoing task TSS descriptor 
Cleared 
Unchanged 
Cleared 


NT bit in incoming task flag word 
Cleared 
Set 
Unchanged 


NT bit in outgoing task flag word 
Unchanged 
Unchanged 
Cleared 


Back link in incoming task TSS 
Unchanged 
Set 
to 
outgoing 
Unchanged 
task TSS selector 


Back link of outgoing task TSS 
Unchanged 
Unchanged 
Unchanged 


When trusted software deletes the link from 
one task to another, it should place a value in 
the backlink field, which will pass control to 
that trusted software when the task attempts 
to resume execution of another task via IRET. 


8.5 
TASK GATES 


A task may be invoked by several different 
events. Task gates are provided to support this 
need. Task gates are used in the same way as 
call and interrupt gates. The ultimate effect 
of jumping to or calling a task gate is the same 
as jumping to or calling directly to the TSS 
in the task gate. 


A task gate is identified by the access byte 
field in bits 0 through 4 being 00101. The gate 
provides an extra level of indirection between 
the destination address and the TSS selector 
value. The offset portion of the JMP or CALL 
destination address is ignored. 


Gate use provides flexibility in controlling 
access to tasks. Task gates can appear in the 


GDT or LDT. The TSS descriptors for all 
tasks must be kept in the GDT. They are 
normally placed at level 0 to prevent any task 
from improperly invoking another task. Task 
gates placed in the LDT allow private access 
to selected tasks with full privilege control. 


The data 
segment 
access 
rules 
apply 
to 
accessing a task gate via JMP, CALL, or INT 
instructions. 
The effective 
privilege 
level 


(EPL) of the destination 
selector must be 


numerically less than or equal to the DPL of 
the task gate descriptor. Any violation of this 
requirement causes a general protection fault 
with an error code identifying the task gate 
involved. 


Once access to the task gate has been verified, 
the TSS selector from the gate is read. The 
RPL of the TSS selector is ignored. From this 
point, all the checks and actions performed 
for a JMP or CALL to a TSS after access 
has been verified are performed (see sectibn 
8.4). Figure 8-4 illustrates an example of a 
task switch through a task gate. 
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CHAPTER 9 
INTERRUPTS AND EXCEPTIONS 


Interrupts 
and exceptions 
are special cases of 


control 
transfer 
within 
a program. 
An inter- 


rupt 
occurs 
as a result 
of an event 
that 
is 


independent 
of 
the 
currently 
executing 


program, 
while exceptions 
are a direct 
result 


of the program 
currently 
being 
executed. 
Interrupts 
may be external 
or internal. 
Exter- 


nal 
interrupts 
are 
generated 
by either 
the 


INTR 
or NMI 
input pins. Internal 
interrupts 


are caused 
by the 
INT 
instruction. 
Excep- 


tions 
occur 
when 
an instruction 
cannot 
be 


completed 
normally. 
Although 
their 
causes 
differ, interrupts 
and exceptions 
use the same 


control transfer 
techniques 
and privilege rules; 
therefore, 
in the following discussions the term 


interrupt 
will also apply to exceptions. 


The program 
used to service an interrupt 
may 
execute in the context 
of the task that caused 


the interrupt 
(Le., used the same TSS, LDT, 
stacks, etc.) or may be a separate 
task. 
The 
choice 
depends 
on 
the 
function 
to 
be 
performed 
and the level of isolation 
required. 


9.1 INTERRUPT 
DESCRIPTOR 
TABLE 


Many 
different 
events 
may 
cause 
an inter- 
rupt. To allow the reason 
for an interrupt 
to 
be easily identified, 
each interrupt 
source 
is 


given a number called the interrupt 
vector. Up 
to 256 different 
interrupt 
vectors 
(numbers) 


are possible. See figure 9-1. 


A table is used to define the handler 
for each 
interrupt 
vector. 
The 
Interrupt 
Descriptor 
Table (IDT) defines the interrupt 
handlers 
for 
up to 256 different 
interrupts. 
The IDT is in 
physical 
memory, 
pointed 
to by the contents 


of the on-chip 
IDT 
register 
that 
contains 
a 


24-bit base and a 16-bit limit. The IDTR 
is 


normally loaded with the LIDT instruction 
by 


code that executes 
at privilege 
level 0 during 
system initialization. 
The IDT may be located 
anywhere 
in the physical 
address 
space of the 
iAPX 286. 


Each IDT entry 
is a 4-word 
gate descriptor 
that 
contains 
a pointer 
to the handler. 
The 


, 


GATE FOR 


INTERRUPT "n 


GATE FOR 


INTERRUPT "n·' 
· 
CPU 
.... 
·· 
15 
0 
GATE FOR 
I lOT LIMIT 
INTERRUPT" 
1 
l- I- 


GATE FOR 
I 


INTERRUPT 
#0 
lOT BASE 


23 
0 
, 


INTERRUPT 
DESCRIPTOR 
TABLE 
(lOT) 


••• 'V" 
w 1" 
6" '''''', 
L1 (1P ~(:llt:S ~Uiscussed 
In 
section 
9.3), 
and task 
gates 
(discussed 
in 
section 8.5). Interrupt 
and task gates process 
interrupts 
in the same task, while task gates 
cause a task switch. Any other descriptor 
type 
in the IDT 
will cause 
an exception 
if it is 
referenced 
by an interrupt. 


The IDT need not contain 
all 256 entries. 
A 
16-bit limit register 
allows less than 
the full 
number 
of entries. 
Unused 
entries 
may 
be 
signaled by placing a zero in the access rights 
byte. If an attempt 
is made to access an entry 
outside 
the 
table 
limit, 
or 
if the 
wrong 
descriptor 
type is found, a general 
protection 
fault occurs with an error code identifying 
the 
invalid interrupt 
vector (see figure 9-2). 


Exception 
error 
codes that 
refer 
to an IDT 
entry can be identified 
by bit 1 of the error 
code that will be set. Bit 0 of the error 
code 
is 1 if the interrupt 
was caused 
by an event 
external 
to the 
program 
(i.e., 
an external 
interrupt, 
a single step, a processor 
extension 
error, or a processor 
extension 
not present). 


Interrupts 
0-31 are reserved 
for use by Intel. 


Some of the interrupts 
are used for instruc- 


least 
255 
to accommodate 
the 
minimum 
number 
of interrupts. 
The 
remaining 
224 
interrupts 
are available 
to the user. 


9.2 
HARDWARE 
INITIATED 
INTERRUPTS 


Hardware-initiated 
interrupts 
are caused 
by 
some external 
event that 
activates 
either 
the 
INTR 
or NMI 
input 
pins of the processor. 
Events that use the INTR 
input are classified 
as maskable 
interrupts. 
Events 
that 
use the 
NMI 
input 
are 
classified 
as non-maskable 
interrupts. 


All 224 user-defined 
interrupt 
sources 
share 
the INTR 
input, 
but each has the ability 
to 
use a separate 
interrupt 
handler. 
An 
8-bit 
vector 
supplied 
by the 
interrupt 
controller 
identifies which interrupt 
is being signaled. To 
read the interrupt 
id, the processor 
performs 
the interrupt 
acknowledge 
bus sequence. 


Maskable 
interrupts 
(from 
the INTR 
input) 
can be inhibited 
by software 
by setting 
the 
interrupt 
flag bit (IF) 
to 0 in the flag word. 
The 
IF 
bit 
does 
not 
inhibit 
exceptions 
or 
interrupts 
caused by the INT instruction. 
The 
IF bit also does not inhibit 
processor 
exten- 
sion interrupts. 


15 
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E 
0 
0 
0 
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lOT VECTOR 
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T 


1 
An event external 
to the program 
caused the exception 
(Le, external 
interrupt, single step, processor 
extension 
error) 


0 
An exception 
occurred 
while 
processing 
an instruction. 


The type of gate placed into the IDT for the 
interrupt 
vector 
will control 
whether 
other 
maskable 
interrupts 
remain 
enabled 
or not 
during the servicing of that interrupt. 
The flag 


word that was saved on the stack reflects 
the 


maskable 
interrupt 
enable 
status 
of the 


processor 
prior 
to the interrupt. 
The proce- 


dure servicing 
a maskable 
interrupt 
can also 


prevent further 
maskable 
interrupts 
during its 


work by resetting 
the IF flag. 


Non-maskable 
interrupts 
are caused 
by the 
NMI 
input. They have a higher priority 
than 


the maskable 
interrupts 
(meaning 
that in case 


of simultaneous 
requests, 
the 
non-maskable 


interrupt 
will 
be serviced 
first). 
A non- 


maskable interrupt 
has a fixed vector (#2) and 
therefore 
does 
not 
require 
an 
interrupt 
acknowledge 
sequence 
on the bus. A typical 
use of an NMI 
is to invoke a procedure 
to 
handle 
a power failure 
or some other critical 
hardware 
exception. 


A procedure 
servicing 
an NMI 
will not be 


further 
interrupted 
by other 
non-maskable 


interrupt 
requests 
until an IRET 
instruction 


is executed. 
Any further 
NMI 
requests 
are 
remembered 
by the 
hardware 
and 
will 
be 


serviced 
after the first IRET 
instruction. 
To 
prevent a maskable 
interrupt 
from interrupt- 
ing the NMI 
interrupt 
handler, 
the IF flag 


should be cleared either by using an interrupt 
gate in the IDT or by setting 
IF = 0 in the 
flag word of the task involved. 


9.3 
SOFTWARE INITIATED INTERRUPTS 


Software 
initiated 
interrupts 
occur explicitly 


as interrupt 
instructions 
or may arise as the 
result 
of 
an 
exceptional 
condition 
that 
prevents 
the continuation 
of program 
execu- 
tion. 
Software 
interrupts 
are 
not maskable. 
Two interrupt 
instructions 
exist which explic- 
itly cause an interrupt: 
INT nand 
INT 3. The 
first 
allows 
specification 
of any interrupt 
vector; the second implies 
interrupt 
vector 
3 


(Breakpoint). 


Other instructions 
like INTO, 
BOUND, 
DIV, 
and IDIV may cause an interrupt, 
depending 
on the overflow flag or values of the operands. 
These 
instructions 
have 
predefined 
vectors 
associated 
with them in the first 32 interrupts 
reserved by Intel. 


A whole class of interrupts 
called exceptions 
are intended 
to detect faults or programming 
errors 
(in the 
use of operands 
or privilege 
levels). 
Exceptions 
cannot 
be masked. 
They 
also have 
fixed 
vectors 
within 
the 
first 
32 
interrupts. 
Many of these exceptions 
pass an 
error code on the stack, which is not the case 
with 
the other 
interrupt 
types 
discussed 
in 
section 9.2. Section 
9.5 discusses 
these error 
codes as well as the priority 
among interrupts 
that can occur simultaneously. 


9.4 
INTERRUPT GATES AND TRAP GATES 


Interrupt 
gates 
and 
trap 
gates 
are 
special 
types of descriptors 
that 
may only appear 
in 
the interrupt 
descriptor 
table. The difference 
between 
a trap 
and 
an 
interrupt 
gate 
is 
whether 
the 
interrupt 
enable 
flag 
is to be 
cleared 
or not. An interrupt 
gate specifies 
a 
procedure 
that enters with interrupts 
disabled 
(i.e., with the interrupt 
enable 
flag cleared); 


entry 
via a trap 
gate 
leaves 
the 
interrupt 
enable 
status 
unchanged. 
The 
NT 
flag 
is 
always cleared 
when an interrupt 
uses these 
gates. Interrupts 
that have either 
gate in the 
associated 
IDT entry will be processed 
in the 
current 
task. 


Interrupts 
and 
trap 
gates 
have 
the 
same 
structure 
as the call gates discussed 
in section 
7.5.1. The selector 
and entry point for a code 
segment 
to handle 
the interrupt 
or exception 
is contained 
in the gate. See figure 9-3. 


The access byte contains 
the Present 
bit, the 
descriptor 
privilege level, and the type identi- 
fier. Bits 0-4 of the access byte have a value 
of 6 for interrupt 
gates, 7 for trap gates. Byte 


5 of the descriptor 
is not used by either 
of 
these gates; 
it is used only by the call gate, 
which uses it as the parameter 
word-count. 


Trap 
and 
interrupt 
gates 
allow 
a privilege 
level transition 
to occur when passing control 
to a non-conforming 
code segment. Like a call 
gate, 
the 
DPL 
of the 
target 
code 
segment 
selected 
determines 
the new CPL. 
The DPL 
of the new non-conforming 
code segment must 
be less than or equal to CPL. 


No privilege transition 
occurs if the new code 
segment 
is conforming. 
If the 
DPL 
of the 
conforming 
code segment 
is greater 
than the 
CPL, 
a general 
protection 
exception 
will 
occur. 


As with all descriptors, 
these gates in the IDT 
carry 
a privilege 
level. 
The 
DPL 
controls 
access to interrupts 
with the INT 
n instruc- 
tion. For access, the CPL of the program 
must 
be less than or equal to the gate DPL. If the 
CPL is not, a general protection 
exception will 
result 
with 
an error 
code 
identifying 
the 
selected 
IDT gate. For exceptions 
and exter- 
nal interrupts, 
the 
CPL 
of the 
program 
is 
ignored while accessing 
the IDT. 


Interrupts 
pointing 
to a trap 
or an interrupt 
gate are handled 
in the same manner 
as an 
iAPX 
86 interrupt. 
The 
flags 
and 
return 
address of the interrupted 
program 
are saved 
on the 
stack 
of the 
interrupt 
handler. 
To 
return 
to the interrupted 
program, 
the inter- 
rupt handler 
executes 
an IRET 
instruction. 


If 
a privilege 
transition 
is required 
for 
handling 
the interrupt, 
a new stack 
will be 
loaded from the TSS. The stack pointer of the 
old privilege 
level will also be saved on the 
new stack in the same manner 
as a call gate. 
Figure 
9-4 shows the stack contents 
after 
an 
exception 
with an error code (with or without 
a privilege level change). 


If an interrupt 
or trap gate is used to handle 
an exception 
that 
passes 
an error 
code, 
the 
error code will be pushed onto the new stack 
after the return 
address 
(as shown in figure 
9-4). 


If an interrupt 
gate is used to handle an inter- 
rupt, 
it is assumed 
that 
the 
selected 
code 
segment 
has sufficient 
privilege 
to re-enable 
interrupts. 
The IRET 
instruction 
will not re- 
enable 
interrupts 
if CPL 
is numerically 
greater 
than IOPL. 
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Table 9-1 shows the checks performed 
during 
an interrupt 
operation 
that 
uses an interrupt 
or trap 
gate. 
EXT 
equals 
1 when 
an event 
external 
to the program 
is involved, 0 other- 
wise. External 
events 
are maskable 
or non- 
maskable 
interrupts, 
single 
step 
interrupt, 
processor 
extension 
segment 
overrun 
inter- 
rupt, 
numeric 
processor 
not-present 
excep- 
tion or numeric 
processor 
error. The EXT bit 
signals that the interrupt 
or exception 
is not 
related to the instruction 
at CS:IP. Each error 
code has bit 1 set to indicate 
an IDT entry is 
involved. 


When 
the 
interrupt 
has 
been 
serviced, 
the 
service routine 
returns 
control 
via an IRET 
instruction 
to 
the 
routine 
that 
was 
inter- 
rupted. 
If an error 
code 
was 
passed, 
the 
exception handler must remove the error code 
from the stack before executing 
IRET. 


The 
NT 
flag 
is cleared 
when 
an interrupt 
occurs which uses an interrupt 
or trap 
gate. 
Executing 
IRET 
with 
NT= 
0 causes 
the 
normal 
interrupt 
return 
function. 
Executing 
IRET 
with NT= 
I causes a task switch 
(see 
section 8.4 for more details). 


Interrupt vector is in lOT limit 
GP 


Trap, Interrupt, or Task Gate in lOT Entry 
GP 


If INT instruction, gate OPL ~ CPL 
GP 


P bit of gate is set 
I. 
NP 


Code segment selector is in descriptor table limit 
GP 


CS selector refers to a code segment. 
GP 


If 
code 
segment 
is 
non-conforming, 
Code 
Segment 
GP 
OPL::5 CPL 


If code segment is non-conforming, and OPL < CPL and if 
GP 
SS selector in TSS is in descriptor table limit 


If code segment is non-conforming, and OPL < CPL and if 
GP 
SS is a writable data segment 
_ 


lOT entry X 8 + 2 + EXT 


lOT entry X 8 + 2 + EXT 


lOT entry X 8 + 2 + EXT 


lOT entry X 8 + 2 + EXT 


lOT entry X 8 + 2 + EXT 


lOT entry X 8 + 2 + EXT 


lOT entry X 8 + 2 + EXT 


If code segment is non-conforming, and OPL < CPL and 
code segment OPL = stack segment OPL 


If code segment is non-conforming, and OPL < CPL and if 
SS is present 


If code segment is non-conforming, and OPL < CPL and if 
there is enough space for 5 words on the stack (or 6 if error 
code is required) 


If code segment is conforming, then OPL ~CPL 


If code segment is not present 


If IP is not within the limit of code segment 


• GP = General Protection Exception 
NP = Not Present Exception 
SF = Stack Fault 


Like the RET instruction, 
IRET 
is restricted 
to return to a level of equal or lesser privilege 
unless 
a task 
switch 
occurs. 
The 
IRET 
instruction 
works like the inter-segment 
RET 
instruction 
except that the flag word is popped 
and 
no 
stack 
update 
for 
parameters 
is 
performed. 
See section 
7.5.5 for information 
on inter-level 
returns. 


To distinguish 
an inter-level 
IRET, 
the new 
CPL (which is the RPL of the return 
address 


Code segment selector + EXT 


Code segment selector + EXT 


O+EXT 


CS 
selector) 
is compared 
with 
the 
current 
CPL. If they are the same, the IP and flags 
are popped and execution 
continues. 


An inter-level 
return 
via IRET 
has 
all the 
same checks as shown in table 7-4. The only 
difference 
is the extra 
word on the stack for 
the old flag word. 


Interrupt 
gates are typically 
associated 
with 
high-priority 
hardware 
interrupts 
for 


automatically 
disabling 
interrupts 
upon their 
invocation. 
Trap gates are typically 
software- 
invoked since they do not disable the maska- 
ble hardware 
interrupts. 
However, 
low-prior- 
ity interrupts 
(e.g., a timer) 
are often invoked 


via a trap gate to allow other devices of higher 
priority to interrupt 
the handler 
of that lower 


priority 
interrupt. 


Table 9-2 illustrates 
how the interrupt 
enable 


flag and interrupt 
type interact 
with the type 
of gate used. 


9.5 
TASK GATES AND INTERRUPT TASKS 


The iAPX 
286 allows interrupts 
to directly 


cause a task switch. When an interrupt 
vector 


selects 
an entry 
in the IDT 
which 
is a task 


gate, 
a task switch 
occurs. 
The format 
of a 


task gate is described 
in section 8.5. 


A 
task 
gate 
offers 
two 
advantages 
over 


interrupt 
gates: 


1. 
It automatically 
saves all of the processor 
registers 
as part of the task-switch 
opera- 
tion whereas 
an interrupt 
gate saves only 
the flag register 
and CS:IP. 


2. 
The new task is completely 
isolated 
from 
the 
task 
that 
was interrupted. 
Address 
spaces 
are isolated 
and the 
interrupt- 
handling 
task 
is 
unaffected 
by 
the 
privilege level of the interrupted 
task. 


An interrupt 
task switch works like any other 
task switch once the TSS selector 
is fetched 
from the task gate. 
Like a trap 
or an inter- 
rupt 
gate, 
privilege 
and 
presence 
rules 
are 
applied 
to accessing 
a task 
gate 
during 
an 
interrupt. 


Interrupts 
that cause a task switch set the NT 
bit in the flags 
of the 
new task. 
The 
TSS 
selector of the interrupted 
task is saved in the 
back 
link field of the new TSS. 
The 
inter- 
rupting task executes 
IRET to perform 
a task 
switch 
to return 
to the 
interrupted 
task 
because NT was previously 
set. The interrupt 
task state is saved in its TSS before returning 
control to the task that was interrupted; 
NT 
is restored 
to its original 
value in the inter- 
rupted task. 


Since 
the 
interrupt 
handler 
state 
after 
executing 
IRET 
is saved, 
a re-entry 
of the 
interrupt 
service task will result in the execu- 
tion 
of the 
instruction 
that 
follows 
IRET. 


Therefore, 
when the next interrupt 
occurs, the 
machine 
state will be the same as that when 
the IRET instruction 
was executed. 


Note 
that 
an interrupt 
task resumes execu- 
tion each 
time 
it is re-invoked, 
whereas 
an 
interrupt 
procedure 
starts 
executing 
at the 
beginning 
of the procedure 
each 
time. 
The 
interrupted 
task restarts execution 
at the point 


Type of 
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Further 
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Exceptions? 
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NMI 
Trap 
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NMI 
Interrupt 
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No 
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INTR 
Trap 
Yes 
Yes 
.. 
Yes 
Yes 
INTR 
Interrupt 
Yes 
No 
Yes 
Yes 
Software 
Trap 
Yes 
Yes 
. 
Yes 
Yes 
Software 
Interrupt 
Yes 
No 
Yes 
Yes 
Exception 
Trap 
Yes 
Yes 
Yes 
Yes 
Exception 
Interrupt 
Yes 
No 
Yes 
Yes 


of interruption 
because interrupts 
occur before 
the execution 
of an instruction. 


When an interrupt 
task is used, the task must 
be concerned 
with avoiding further 
interrupts 
while 
it is operating. 
A general 
protection 
exception will occur if a task gate referring 
to 
a busy TSS is used while processing 
an inter- 
rupt. If subsequent 
interrupts 
can occur while 
the task is executing, 
the IF bit in the flag 
word (saved in the TSS) must be zero. 


9.5.1 
Scheduling Considerations 


A software-scheduled 
operating 
system must 
be designed to handle the fact that interrupts 
can come along 
in the middle 
of scheduled 
tasks and cause a task switch to other tasks. 
The 
interrupt-scheduled 
tasks 
may 
call the 
operating 
system 
and eventually 
the schedu- 
ler, which needs to recognize that the task that 
just 
called 
it is not 
the 
one the 
operating 
system last scheduled. 


If the Task 
Register 
(TR) 
does not contain 
the TSS 
selector 
of the last scheduled 
task, 
an 
interrupt 
initiated 
task 
switch 
has 
occurred. 
More than one task may have been 
interrupt-scheduled 
since the 
scheduler 
last 
ran. The scheduler 
must find via the backlink 
fields in each TSS 
all tasks 
that 
have been 
interrupted. 
The 
scheduler 
can 
clear 
those 
links 
and 
reset 
the 
busy 
bit 
in the 
TSS 
descriptors, 
putting 
them back in the sched- 
uling queue 
for a new analysis 
of execution 
priorities. 
Unless 
the 
interrupted 
tasks 
are 
placed 
back 
in the 
scheduling 
queue, 
they 
would have to await a later restart via the task 
that interrupted 
them. 


To locate 
tasks 
that 
have 
been 
interrupt- 
scheduled, the scheduler looks into the current 
task's 
TSS backlink 
(word one of the TSS), 
which points at the interrupted 
task. 
If that 
task was not the last task scheduled, 
then it's 
backlink 
field in the TSS 
also points 
to an 
interrupted 
task. 


The backlink field of each interrupt-scheduled 
task should be set by the scheduler 
to point 
to a scheduling 
task that 
will reschedule 
the 
highest 
priority 
task 
when 
the 
interrupt- 
scheduled 
task executes 
IRET. 


9.5.2 
Deciding Between Task, Trap and 
Interrupt Gates 


Interrupts 
and exceptions can be handled 
with 
either 
a trap/interrupt 
gate 
or a task 
gate. 


The 
advantages 
of a task 
gate 
are 
all the 
registers 
are saved and a new set is loaded 
with 
full isolation 
between 
the 
interrupted 
task 
and the interrupt 
handler. 
The 
advan- 
tages 
of a task/interrupt 
gate 
are 
faster 
response to an interrupt 
for simple operations 
and easy access to pointers 
in the context 
of 
the interrupted 
task. 
All interrupt 
handlers 
use IRET to resume the interrupted 
program. 


Trap/interrupt 
gates 
require 
that 
the inter- 
rupt handler 
be able to execute 
at the same 
or greater 
privilege level than the interrupted 
program. 
If any program 
executing 
at level 0 
can be interrupted 
through 
a trap/task 
gate, 
the 
interrupt 
handler 
must 
also execute 
at 
level 0 to avoid general 
protection 
exception. 
All code, data, and stack segment 
descriptors 
must be in the GDT to allow access from any 
task. 
But, 
placing 
all 
system 
interrupt 
handlers 
at 
privilege 
level 
0 may 
be 
in 
consistent 
with maintaining 
the integrity 
of 
level 0 programs. 


Some 
exceptions 
require 
the 
use of a task 
gate. 
The invalid 
task 
state 
segment 
excep- 
tion (#10) can arise from errors 
in the origi- 
nal 
TSS 
as 
well 
as 
in 
the 
target 
TSS. 
Handling 
the exception 
within the same task 
could 
lead 
to recursive 
interrupts 
or other 
undesirable 
effects that are difficult 
to trace. 
The double 
fault 
exception 
(#8) 
should 
also 
use a task 
gate 
to prevent 
shutdown 
from 
another 
protection 
violation 
occurring 
during 
the servicing of the exception. 


9.6 
PROTECTION 
EXCEPTIONS 
AND 
RESERVED 
VECTORS 


A protection violation will cause an excep- 
tion, i.e., a non-maskable interrupt. 
Such a 
fault can be handled by the task that caused 
it if an interrupt or trap gate is used, or by a 
different task if a task gate is used (in the 
IDT). 


Protection exceptions can be classified into 
program errors or implicit requests for service. 
The latter include stack overflow and not- 
present faults. Examples of program errors 
include attempting to write into a read-only 
segment, or violating segment limits. 


Requests for service may use different inter- 
rupt vectors, 
but many 
diverse 
types 
of 
protection 
violation use the same general 
protection fault vector. Table 9-3 shows the 
reserved exceptions and interrupts. 


When 
simultaneous 
external 
interrupt 
requests occur, they are processed in the fixed 
order shown in table 9-4. For each interrupt 
serviced, the machine state is saved. The new 
CS:IP is loaded from the gate or TSS. If other 
interrupts remain enabled, they are processed 


before the first instruction 
of the current 
interrupt 
handler, 
i.e., the last interrupt 
processed is serviced first. 


All but three exceptions are restartable after 
the exceptional condition is removed. The 
three 
non-restart able exceptions 
are the 
processor 
extension 
segment 
overrun, 
a 
segment limit exception that arises during a 
string operation, and writing into read only 
segments with ADC, SBB, RCL, and RCR 
instructions. 
The return 
address normally 
points to the failing instruction, including all 
leading prefixes. 


The instruction and data addresses for the 
processor 
extension 
segment 
overrun 
are 
contained in the processor extension status 
registers. 


Interrupt handlers for most exceptions receive 
an error code that 
identifies 
the selector 
involved, or a 0 in bits 15-3 of the error code 
field if there is no selector involved. The error 
code is pushed last, after the return address, 
on the stack that will be active when the trap 
handler begins execution. This ensures that 
the handler will not have to access another 
stack segment to find the error code. 


Vector 
Description 
Restartable 
Error Code 
Number 


0 
Divide Error Exception 
Yes 
No 
1 
Single Step Interrupt 
Yes 
No 
2 
NMI Interrupt 
Yes 
No 
3 
Breakpoint 
Interrupt 
Yes 
No 
4 
INTO Detected 
Overflow 
Exception 
Yes 
No 
5 
BOUND 
Range Exceeded 
Exception 
Yes 
No 
6 
Invalid Opcode 
Exception 
Yes 
No 
7 
Processor 
Extension 
Not Available 
Exception 
Yes 
No 
8 
Double 
Exception 
Detected 
No 
Yes (Always 
0) 
9 
Processor 
Extension 
Segment 
Overrun 
Interrupt 
No 
No 
10 
Invalid Task State Segment 
Yes 
Yes 
11 
Segment 
Not Present 
Yes 
Yes 
12 
Stack Segment 
Overrun 
or Not Present 
Yes 
Yes 
13 
General 
Protection 
No 
Yes 


1 
Instruction exception 
2 
Single step 
3 
NMI 
4 
Processor extension segment overrun 


5 
INTR 
6 
INT instruction 


The 
following 
sections 
describe 
the 
excep- 


tions in greater 
detail. 


9.6.1 
Invalid OP-Code (Interrupt 6) 


When 
an invalid 
opcode 
is detected 
by the 
execution 
unit, 
interrupt 
6 is invoked. 
(It is 
not detected 
until 
an attempt 
is made 
to 
execute 
it, i.e., prefetching 
an invalid opcode 
does 
not 
cause 
this 
exception.) 
The 
saved 


CS:IP will point to the invalid opcode or any 
leading 
prefixes; 
no error 
code is pushed 
on 


the 
stack. 
The 
exception 
can 
be handled 


within the same task, and is restartable. 


This exception 
will occur for all cases of an 
invalid operand. 
Examples 
include 
an inter- 


segment jump referencing 
a register 
operand, 
or an LES instruction 
with a register 
source 
operand. 
This 
exception 
can 
also 
occur 


because 
redundant 
prefixes 
have been placed 
before an instruction 
so that the total length 
of the instruction 
exceeds 
10 bytes. 


9.6.2 
Double Fault (Interrupt 8) 


If two separate 
protection 
violations 
occur 


during 
a single 
instruction, 
exception 
8 
(Double 
Fault) 
occurs (e.g., a general 
protec- 


tion 
fault 
in level 
3 is followed 
by a not- 


present 
fault due to a segment 
not-present). 
If another 
protection 
violation 
occurs 
during 
the processing 
of exception 
8, the iAPX 
286 
enters shutdown, during which time no further 
instructions 
or exceptions 
are processed. 


out of shutdown. 
An NMI 
input can bring the 


CPU out of shutdown 
if no errors occur while 


processing 
the 
NMI 
interrupt; 
otherwise, 


shutdown 
can only be exited via the RESET 


input. 
NMI 
causes 
the 
CPU 
to remain 
in 


protected 
mode, and RESET 
causes it to exit 


protected 
mode. Shutdown 
is signaled 
exter- 
nally 
via a HALT 
bus 
operation 
with 
Al 


HIGH. 


A task gate must be used for the double fault 
handler 
to assure 
a proper 
task 
state 
to 


respond to the exception. 
The back link field 
in the current 
TSS will identify 
the TSS 
of 


the 
task 
causing 
the 
exception. 
The 
saved 
address will point at the instruction 
that was 


being 
executed 
(or 
was 
ready 
to execute) 
when the error was detected. 
The error 
code 
will be null. 


9.6.3 
Processor Extension Segment 
Overrun (Interrupt 9) 


Interrupt 
9 signals that 
the processor 
exten- 
sion (such as the 80287 numerics 
processor) 


has 
overrun 
the 
limit 
of a segment 
while 
attempting 
to read/write 
the second or subse- 


quent words of an operand. 
The interrupt 
is 
generated 
by the 
processor 
extension 
data 
channel within the 80286 during the limit test 
performed 
on each transfer 
of data 
between 
memory 
and 
the 
processor 
extension. 
This 
interrupt 
can be handled 
in the same task but 


is not restartable. 


As with all external 
interrupts, 
Interrupt 
9 is 
an 
asynchronous 
demand 
caused 
by 
the 


processor 
extension 
referencing 
something 


outside a segment 
boundary. 
Since Interrupt 


9 can 
occur 
any 
time 
after 
the 
processor 


extension 
is started, 
the 80286 does not save 
any information 
that identifies 
what particu- 


lar operation 
had been initiated 
in the proces- 


sor 
extension. 
The 
processor 
extension 


maintains 
special 
registers 
that 
identify 
the 
last instruction 
it executed 
and the address of 
the desired operand. 


After 
this 
interrupt 
occurs, 
no WAIT 
or 
escape 
instruction, 
except 
FNINIT, 
can be 
executed 
until 
the 
interrupt 
condition 
is 
cleared or the processor extension is reset. The 
interrupt 
signals that the processor 
extension 
is requesting 
an invalid 
data 
transfer. 
The 
processor 
extension 
will always be busy when 
waiting on data. Deadlock 
results if the CPU 
executes 
an instruction 
that causes it to wait 
for the processor extension before resetting the 
processor extension. Deadlock means the CPU 
is waiting 
for 
the 
processor 
extension 
to 
become 
idle while 
the processor 
extension 
waits for the CPU to service its data request. 


The 
FNINIT 
instruction 
is guaranteed 
to 
reset the processor 
extension 
without 
causing 
deadlock. 
After 
the interrupt 
is cleared, 
this 
restriction 
is lifted. It is then possible to read 
the 
instruction 
and 
operand 
address 
via 
FSTENV 
or FSA VE, causing 
the 
segment 
overrun 
in the 
processor 
extension's 
special 
registers. 


9.6.4 
Invalid Task State Segment 
(Interrupt 10) 


Interrupt 
10 is invoked if during a task switch 
the new TSS 
pointed 
to by the task gate 
is 
invalid. 
The EXT 
bit indicates 
whether 
the 
exception 
was caused by an event outside the 
control of the program. 


A TSS is considered invalid in the cases shown 
in table 9-5. 


Once the existence of the new TSS is verified, 
the task switch is considered 
complete, 
with 
the backlink 
set to the old task if necessary. 
All errors 
are handled 
in the context 
of the 
new task. 


Exception 
10 must use a task gate to insure a 
proper TSS to process it. 


9.6.5 
Not Present (Interrupt 11) 


Exception 
11 occurs when an attempt 
is made 
to load 
a not-present 
segment 
or to use 
a 
control descriptor 
that is marked 
not-present. 


(If, however, the missing segment 
is an LDT 


Reason 
Error Code 


I 
The limit in the TSS descriptor is less than 43 
TSS id + EXT 


Invalid LOT selector or LOT not present 
LOT id + EXT 


I 
Stack segment selector is outside table limit 
SS id + EXT 


Stack segment is not a writable segment 
SS id + EXT 


I 
Stack segment OPL does not match new CPL 
SS id + EXT 


Stack segment selector RPL'¢'CPL 
SS id + EXT 


I 
Code segment selector is outside table limit 
CS id + EXT 


Code segment selector does not refer to code segment 
CS id + EXT 


) 
Non-conforming code segment OPL'¢'CPL 
CS id + EXT 


Conforming code segment OPL>CPL 
CS id + EXT 


OS or ES segment selector is outside table limits 
ES/OS id + EXT 


OS or ES are not readable segments 
ES/OS id + EXT 


INTERRUPTS AND EXCEPTIONS 


that is needed in a task switch, exception 
10 


occurs.) 
This exception 
is fully restartable. 


Any segment 
load instruction 
can cause this 


exception. 
Interrupt 
11 is always processed 
in 


the context of the task in which it occurs. 


The error code has the form shown in figure 
9-5. The EXT bit will be set if an event exter- 
nal to the program 
caused 
an interrupt 
that 


subsequently 
referenced 
a 
not-present 


segment. 
Bit 1 will be set if the error 
code 


refers to an IDT entry, e.g., an INT 
instruc- 


tion referencing 
a not-present 
gate. The upper 


14 bits are the upper 
14 bits of the segment 


selector involved. 


When a not-present 
exception 
occurs, the ES 


and DS segment 
registers 
may not be usable 


for referencing 
memory. During a task switch, 


the 
selector 
values 
are 
loaded 
before 
the 


descriptors 
are 
checked. 
The 
not-present 


handler 
should not rely on being able to use 


the 
values 
found 
in CS, 
ES, 
SS, 
and 
DS 


without 
causing 
another 
exception. 


9.6.6 
Stack Fault (Interrupt 12) 


Stack underflow 
or overflow causes exception 


12, as does a not-present 
stack segment 
refer- 


enced 
during 
an inter-task 
or inter-level 


transition. 
This exception 
is fully restartable. 
A limit violation 
of the current 
stack results 


in an error code of O. The EXT bit of the error 
code tells whether 
an interrupt 
external 
to the 


program 
caused the exception. 


Any instruction 
that 
loads 
a selector 
to SS 


(e.g., 
POP 
SS, task 
switch) 
can cause 
this 


exception. This exception must use a task gate 
if there is a possibility 
that 
any level 0 stack 


may not be present. 


When 
a stack 
fault 
occurs, 
the ES and DS 


segment 
registers 
may 
not 
be usable 
for 


referencing 
memory. During a task switch, the 


selector values are loaded before the descrip- 
tors 
are 
checked. 
The 
stack 
fault 
handler 
should check the saved values of SS, CS, DS, 
and ES to be sure that 
they refer to present 
segments 
before restoring 
them. 


9.6.7 
General Protection Fault 
(Interrupt 13) 


If a protection 
violation 
occurs 
which 
is not 
covered 
in the 
preceding 
paragraphs, 
it is 
classed as Interrupt 
13, a general 
protection 
fault. 
The error 
code is zero for limit viola- 
tions, write to read-only 
segment 
violations, 
and accesses relative 
to DS or ES when they 
are zero or refer 
to a segment 
at a greater 
privilege level than CPL. Other 
access viola- 
tions (e.g., a wrong 
descriptor 
type) 
push 
a 
non-zero 
error code that 
identifies 
the selec- 
tor used on the stack. 
Error 
codes with bit 0 
cleared 
and bits 
15-2 non-zero 
indicate 
a 
restartable 
condition. 


Bit 1 of the error code identifies 
whether 
the 
selector 
is in the IDT 
or LDT /GDT. 
If bit 
1=0 
then bit 2 separates 
LDT 
from 
GDT. 


Bit 0 (EXT) 
indicates 
whether 
the exception 
was caused by the program 
or an event exter- 
nal to it (Le., 
single 
stepping, 
an external 
interrupt, 
a processor extension 
not-present 
or 
a segment 
overrun). 
If bit 0 is set, the selec- 
tor 
typically 
has 
nothing 
to do with 
the 
instruction 
that was interrupted. 
The selector 
refers 
instead 
to some 
step of servicing 
an 
interrupt 
that failed. 


When 
bit 
0 of the 
error 
code 
is set, 
the 
program 
can be restarted, 
except 
for proces- 
sor extension segment overrun exceptions. 
The 
exception 
with the bit 0 of the error code = 1 
indicates 
some interrupt 
has been lost due to 
a fault in the descriptor 
pointed to by the error 
code. 


A non-zero error code with bit 0 cleared 
may 
be an operand 
of the interrupted 
instruction, 


an operand 
from 
a gate 
referenced 
by the 
instruction, 
or a field from the invalid TSS. 


9.7 
ADDITIONAL 
EXCEPTIONS 
AND 
INTERRUPTS 


Interrupts 
0, 5, and 
I have 
not 
yet 
been 
discussed. 
Interrupt 
0 is the 
divide-error 
exception, 
Interrupt 
5 the 
bound-range 
exceeded 
exceptions, 
and 
Interrupt 
I the 
single 
step 
interrupt. 
The 
divide-error 
or 
bound-range 
exceptions 
make it appear 
as if 
that 
instruction 
had 
never 
executed: 
the 
registers 
are restored 
and the instruction 
can 
be restarted. 
The divide-error 
exception occurs 
during 
a DIY or an IDlY 
instruction 
when 
the quotient 
will be too large to be represent- 


able, or when the divisor is zero. 


Interrupt 
5 occurs when a value exceeds 
the 
limit 
set 
for 
it. 
A program 
can 
use 
the 


BOUND 
instruction 
to check a signed array 


index against 
signed limits defined 
in a two- 


word 
block 
of memory. 
The 
block 
can 
be 


located 
just 
before 
the 
array 
to simplify 


addressing. 
The block's first word specifies the 


array's 
lower limit, the second word specifies 


the array's 
upper 
limit, and a register 
speci- 
fies the array index to be tested. 


9.7.1 
Sin91e Step Interrupt 
(Interrupt 
1) 


Interrupt 
I allows programs 
to execute 
one 


instruction 
at a time. This single-stepping 
is 


controlled 
by the 
TF 
bit in the 
flag 
word. 


Once 
this bit is set, an internal 
single 
step 


interrupt 
will occur after the next instruction 
has been 
executed. 
The 
interrupt 
saves the 
flags and return 
address 
on the stack, 
clears 
the TF bit, and uses an internally 
supplied 
vector of I to transfer 
control 
to the service 
routine via the IDT. 


The IRET 
instruction 
or a task switch 
must 
be used 
to set the 
TF 
bit 
and 
to transfer 
control 
to the 
next 
instruction 
to be single 
stepped. 
If TF= 
I in a TSS and that 
task is 
invoked, 
it will execute 
the first 
instruction 
and then be interrupted. 


The single-step 
flag is normally 
not cleared 
by privilege 
changes 
inside 
a task. 
INT 
instructions 
also 
do not 
clear 
TF. 
System 
software 
should check the current 
execution 
privilege level after 
any single step interrupt 
to see whether single stepping should continue. 


The interrupt 
priorities 
in hardware 
guaran- 
tee that if an external 
interrupt 
occurs, single 
stepping 
stops. When both an external 
inter- 


rupt and a single step interrupt 
occur together, 
the single step interrupt 
is processed first. This 
clears 
the 
TF 
bit. 
After 
saving 
the 
return 
address or switching 
tasks, the external 
inter- 


rupt 
input 
is examined 
before 
the 
first 
instruction 
of the single step handler 
executes. 


If the external 
interrupt 
is still pending, 
it is 
then serviced. The external 
interrupt 
handler 
is not single-stepped. 
To single step an inter- 
rupt 
handler, 
just 
single 
step 
an 
interrupt 
instruction 
that refers to the interrupt 
handler. 


System Control And 
Initializa tion 
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CHAPTER 10 
SYSTEM CONTROL AND INITIALIZATION 


Special 
flags, 
registers, 
and instructions 
provide contol of the critical processes and 
interaction in iAPX 286 operations. The flag 
register includes 3 bits that 
represent 
the 
current I/O privilege level (IOPL: 2 bits) and 
the nested task bit (NT). 
Four additional 
registers support the virtual addressing and 
memory protection features, one points to the 
current Task State Segment and the other 
three point to the memory-based descriptor 
tables: GDT, LDT, and IDT. These flags and 
registers are discussed in the next section. The 
machine 
status 
word, 
(which 
indicates 
processor configuration and status) and the 
instructions 
that 
load 
and 
store 
it 
are 
discussed in section 10.2.2. 


Similar instructions pertaining to the other 
registers are the subject of sections 10.2 and 
10.3. A detailed description of initialization 
states and processes, which appears in section 
10.4, is supplemented 
by the 
extensive 
example in Appendix A. Instructions 
that 


validate descriptors and pointers are covered 
in section 11.3. 


10.1 
SYSTEM FLAGS AND REGISTERS 


The IOPL flag (bits 12 and 13 of the flags 
word) controls access to I/O operations and 
interrupt control instructions. These two bits 
represent 
the 
maximum 
privilege 
level 
(highest numerical CPL) at which the task is 
permitted to perform I/O instructions. Alter- 
ation 
of the 10PL 
flags is restricted 
to 
programs at level 0 or to a task switch. 


IRET uses the NT flag to select the proper 
return: if NT=O, the normal return within a 
task is performed. As discussed in Chapter 8, 
the nested task flag (bit 14 of flags) is set 
when a task initiates a task switch via a 


CALL or INT instruction. The old and new 
task state segments are marked busy and the 
backlink field of the new TSS is set to the old 
TSS selector. An interrupt that does not cause 
a task switch will clear NT after the old NT 
state is saved. To prevent a program from 
causing an illegal task switch by setting NT 
and then executing IRET, 
a zero selector 
should be placed in the backlink field of the 
TSS. An illegal task switch using IRET will 
then cause exception 
13. The instructions 
POPF and IRET can also set or clear NT 
when flags are restored from the stack. POPF 
and IRET 
can also change 
the interrupt 
enable flag. If CPL ~ 10PL, then the Inter- 
rupt Flag (IF) can be changed by POPF and 
IRET. Otherwise, the state of the IF bit in 
the new flag word is ignored by these instruc- 
tions. Note that the CLI and STI instructions 
are valid only when CPL ~ 10PL. 


10.1.1 
Descriptor Table Registers 


The three 
descriptor 
tables 
used for all 
memory accesses 
are based at addresses 
supplied by (stored in) three registers: the 
global descriptor table register (GDTR), the 
interrupt 
descriptor table register (IDTR), 
and 
the 
local 
descriptor 
table 
register 
(LDTR). Each register contains a 24-bit base 
field and a l6-bit limit field. The base field 
gives the real memory address of the begin- 
ning of the table; the limit field tells the 
maximum offset permitted in accessing table 
entries. See figures 10-1 thru 10-3. 


The LDT also contains a selector field that 
identifies the DT descriptor for that table. 
LDT descriptors must reside in the GDT. 


The task register (TR) points to the task state 
segment for the currently active task. It is 
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Figure 10-3. Global Descriptor 
Table and Interrupt 
Descriptor 
Data Type 


similar to a segment register, with selector, 
base, and limit fields, of which only the selec- 
tor field is readable under normal circum- 
stances. Each such selector serves as a unique 
identifier for its task. The uses of the TR are 
described in Chapter 8. 


The instructions 
controlling 
these special 


registers are described in the next section. 


10.2 
SYSTEM CONTROL INSTRUCTIONS 


The instructions that load the GDTR 
and 


IDTR from memory can only be executed at 
privilege level O. The store instructions for 
GDTR and IDTR may be executed at any 
privilege 
level. The four instructions 
are 


LIDT, 
LGDT, 
SIDT, 
and 
SGDT. 
The 


instructions 
move 3 words 
between 
the 


indicated descriptor table register and the 
effective real memory address supplied. The 
format of the 3 words is: a 2-byte limit, a 3- 
byte real base address, followed by an unused 
byte. These instructions are normally used 
during system initialization. 


Similarly, the LLDT instruction 
loads the 


LDT registers from a descriptor in the GDT. 
LLDT uses as its operand a selector to that 


descriptor. LLDT, only executable at prlVl- 
lege level 0, is normally required only during 
system initialization 
because the processor 
automatically exchanges the LDTR contents 
as part of the task-switch operation. 


Executing 
an LLDT instruction 
does not 
automatically update the TSS or the register 
caches. To properly change the LDT of the 
currently running task so that the change 
holds across task switches, you must perform, 
in order, the following three steps: 


1. 
Store the new LDT selector 
into the 
appropriate word of TSS. 


2. 
Load the new LDT selector into LDTR. 


3. 
Reload the DS and ES registers if they 
refer to LDT-based descriptors. 


Note that the current code segment and stack 
segment descriptors should reside in the GDT 
or be copied to the same location in the new 
LDT. 


SLDT (store LDT) can be executed at any 
privilege level. SLDT stores the local descrip- 
tor table selector from the LDT register. 


Task Register 
loading or storing 
is again 
similar to that of the LDT. The LTR instruc- 
tion, operating only at level 0, loads the LTR 
at initialization time with a selector for the 
initial TSS. LTR does NOT cause a task 
switch; it just changes the current TSS. Note 
that the busy bit of the old TSS descriptor is 
not changed while the busy bit of the new TSS 
selector must be zero and will be set by LTR. 
The LDT and any segment registers referring 
to the old LDT should be reloaded. STR, 
which permits the storing of TR contents into 
memory, can be executed at any privilege 
level. LTR is not usually needed after initial- 
ization because the TR is managed by the 
task-switch operation. 


10.2.2 
Machine Status Word 


The Machine Status Word (MSW) indicates 
the iAPX 286 configuration and status. It is 
not part of a task's state. The MSW word is 
loaded by the LMSW instruction executed at 
privilege level 0 only, or is stored by the 
SMSW instruction executing at any privilege 
level. MSW is a 16-bit register, the lower four 
bits of which are used. These bits have the 
meanings shown in table 10-1. 


The TS flag is set under hardware control and 
reset under software control. Once the TS flag 
is set, the next instruction using a processor 
extension causes a processor extension not- 
present exception (#7). This feature allows 
software to test whether the current proces- 
sor extension state belongs to the current task 
as discussed in section 11.4. If the current 


Bit 
Name 
Function 
r 


P081tlon 
- 


0 
PE 
Erotected 
mode enable places 
the 80286 into protected mode 
and cannot be cleared except by 
RESET. 


1 
MP 
Monitor 
processor 
extension 
allows WAIT instructions to cause 
a 
processor 
extension 
not- 
present exception (number 7). 


2 
EM 
Emulate 
processor 
extension 
causes a processor 
extension 


not-present exception (number 7) 
on ESe 
instructions to allow a 
processor 
extension 
to 
be 
emulated. 


3 
TS 
Iask switched indicates the next 
instruction 
using a processor 
extension will cause exception 7. 


'-, 
allowing software to test whether 


I. 
the current processor extension 
context belongs to the current 
task. 


processor extension state belongs to a differ- 
ent task, the software can save the state of 
any processor extension with the state of the 
task that uses it. Thus, the TS bit protects a 
task from processor extension 
errors that 


result from the actions of a previous task. 


The CLTS instruction is used to reset the TS 
flag after the exception handler has set up the 
proper processor extension state. The CLTS 
instruction can be executed at privilege level 
o only. 


The EM flag indicates a processor extension 
function is to be emulated by software. If 
EM= I and MP=O, 
all ESCAPE 
instruc- 
tions will be trapped via the processor exten- 
sion not-present exception (#7). 


MP flag tells whether a processor extension 
is present. If MP= I and TS= I, escape and 
wait instructions will cause exception 7. 


The PE flag indicates that the iAPX 286 is 
in the protected virtual address mode. Once 
the PE flag is set, it can be cleared only by a 
reset, which then puts the system in real 
address mode emulating the 8086. 


Table 10-2 shows the recommended usage of 
the MSW. 


10.2.3 
Other Instructions 


Instructions that verify or adjust access rights, 
segment limits, or privilege levels can be used 
to avoid exceptions or faults that are correct- 
able. Section 10.3 describes such instructions. 


10.3 
PRIVILEGED AND TRUSTED 
INSTRUCTIONS 


Instructions that execute only at CPL=O are 
called "privileged." An attempt to execute the 
privileged instructions at any other privilege 
level causes a general protection exception 


Instructions 


TS 
MP 
EM 
Recommended 
Use 
Causing 
Exception 


a 
a 
a 
iAPX 86 real address mode only. Initial encoding after RESET. iAPX 
None 
286 operation is identical to iAPX 86, 88. 


a 
a 
1 
No processor extension is available. Software will emulate its 
ESe 
function. 


1 
a 
1 
No processor extension is available. Software will emulate its 
ESeS 
function. The current processor extension context may belong to 
another task. 


a 
1 
a 
A processor extension exists. 
None 


1 
1 
a 
A processor extension exists. The current processor extension 
ESe or 


context may belong to another task. The exception on WAIT allows 
WAIT 


software to test for an error pending from a previous processor 
extension operation. 


(#13) with an error code of zero. The privi- 
leged instructions manipulate descriptor tables 
or system registers. Incorrect 
use of these 


instructions 
can 
produce 
unrecoverable 


conditions. 
Some 
of 
these 
instructions 


(LGDT, LLDT, and LTR) are discussed in 
section 10.2. 


• 
L1DT-Load 
interrupt 
descriptor table 


register 


• 
LMSW-Load 
machine status word 


• 
CLTS-Clear 
task switch flag 


• 
HALT-Halt 
processor execution 


"Trusted" 
instructions 
are restricted 
to 


execution 
at privilege 
levels that 
can be 


programmed. 
For each task, the operating 


system defines a privilege level below which 
these instructions cannot be used. Most of 
these instructions deal with input/output 
or 


interrupt management. The 10PL field in the 


flag word holds the privilege level limit. The 
trusted instructions are: 


• 
Input/Output-Block 
I/O, 
Input, 
and 


Output: IN, INW, OUT, OUTW, INSB, 
INSW, OUTSB, OUTSW 


• 
Interrupts-Enable 
Interrupts, 
Disable 


Interrupts: ST!, CLI 


• 
Other-Lock 
Prefix 


Note: POPF (POP flags) or IRET can change 
the IF value only if the user is operating at a 
trusted privilege level. POPF does not change 
10PL except at Level O. 


Whenever the iAPX 286 is initialized or reset, 
certain registers are set to predefined values. 
All additional desired initialization must be 
performed by user software. (See Appendix 
A for an example 
of a 286 initialization 
routine.) RESET 
forces the iAPX 286 to 


terminate all execution and local bus activity; 
no instruction or bus action will occur as long 
as RESET is active. Execution in real address 
mode begins after RESET becomes inactive 
and an internal 
processing 
interval 
(3-4 


clocks) occurs. The initial state at reset is: 


FLAGS = 0002 
MSW 
= FFFOH 
IP 
= FFFOH 
CS Selector = FOOOH 
ES, CS Selector = OOOOH 
lOT base = OOOOOOH 


CS.base = FFOOOOH CS.limit 
= FFFFH 


DS.base = OOOOOOH DS.limit 
= FFFFH 


lOT.limit 
= 03FFH 


Two fixed areas of memory are reserved: the 
system initialization area and the interrupt 
table area. The system initialization 
area 


begins at FFFFFOH 
(through 
FFFFFFH) 


and 
the 
interrupt 
table 
area 
begins 
at 


OOOOOOH 
(through 0003FFH). The interrupt 


table area is not reserved. 


At this point, segment registers are valid and 
protection bits are set to O. The iAPX 286 
begins operation in real address mode, with 
PE=O. Maskable interrupts are disabled, and 
no processor extension is assumed or emulated 
(EM=MP=O). 


DS, ES, and SS are initialized at reset to 
allow access to the first 64K of memory 
(exactly as in the 8086). The CS:IP combi- 
nation 
specifies 
a 
starting 
address 
of 


FFFFOH. For real address mode, the four 
most significant bits are not used, providing 
the same FFFOH address as the 8086 reset 
location. Use of (or upgrade to) the protected 
mode can be supported by a bootstrap loader 
at the high end of the address space. As 
mentioned 
in Chapter 
5, location 
FFFOH 


ordinarily contains a JMP instruction whose 
target is the actual beginning of a system 
initialization or restart program. 


After RESET, CS points to the top 64K bytes 
in the 16-Mbyte 
physical 
address 
space. 


Reloading CS register by a control transfer 


to a different code segment in real address 
mode will put zeros in the upper 4 bits. Since 
the initial IP is FFFOH, all of the upper 64K 
bytes of address 
space may be used for 
initialization. 


Sections 10.4.1 and 10.4.2 describe the steps 
needed to initialize the iAPX286 in the real 
address 
mode 
and 
the 
protected 
mode, 


respectively. 


1. 
Allocate a stack. 


2. 
Load programs and data into memory 
from secondary storage. 


3. 
Initialize 
external 
devices 
and 
the 
Interrupt Vector Table. 


4. 
Set registers and MSW bits to desired 
values. 


5. 
Set 
FLAG 
bits 
to desired 
values- 


including the IF bit to enable 
inter- 
rupts-after 
insuring that a valid inter- 
rupt handler 
exists for each possible 


interrupt. 


6. 
Execute (usually via an inter-segment 
JMP to the main system program). 


10.4.2 Protected Mode 


The full iAPX 286 virtual 
address 
mode 
initialization 
procedure requires additional 
steps to operate correctly: 


1. Load programs and associated descriptor 
tables. 


2. Load valid descriptor tables, setting the 
GDTR and IDTR to their correct value. 


3. Set the PE bit to enter protected mode. 


4. Execute an intra-segment JMP to clear 
the processor queues. 


5. Load or construct 
a valid task state 
segment for the initial task to be executed 
in protected mode. 


6. Load the LDTR selector from the task's 
GDT or OOOOH (null) if an LDT is not 
needed. 


7. Set the stack pointer (SS, SP) to a valid 
location in a valid stack segment. 


8. Mark 
all 
items 
not 
in 
memory 
as 
not-present. 


9. Set FLAGS and MSW bits to 
values 
for 
the 
desired 
configuation. 


10. Initialize external devices. 


correct 
system 


11. Ensure that a valid interrupt 
handler 
exists for each possible interrupt. 


12. Enable interrupts. 


13. Execute. 


The example in Appendix A shows the steps 
necessary to load all the required tables and 
registers that permit execution of the first task 
of a protected mode system. The program in 
Appendix A assumes that Intel development 
tools have been used to construct a prototype 
GDT, IDT, LDT, TSS, and all the data 
segments necessary to start up that first task. 
Typically, these items are stored on EPROM; 
on most systems it is necessary to copy them 
all into RAM to get going. Otherwise, the 
iAPX 286 will attempt 
to write into the 
EPROM to set the accessed or busy bits. 


The example in Appendix A also illustrates 
the ability 
to allocate 
unused 
entries 
in 
descriptor tables to grow the tables dynami- 
cally during execution. Using suitable naming 
conventions,the builder can allocate alias data 
segments that are larger than the prototype 
EPROM version. The code in the example 
will zero out the extra entries to permit later 
dynamic usage. 
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CHAPTER 11 
ADVANCED TOPICS 


This chapter describes some of the advanced 
topics 
as virtual 
memory 
management, 
restartable 
instructions, 
special 
segment 
attributes, and the validation of descriptors 
and pointers. 


11.1 
VIRTUAL 
MEMORY 
MANAGEMENT 


When access to a segment is requested and 
the access byte in its descriptor indicates the 
segment is not present in real memory, the 
not-present fault occurs (exception 11 or 12 
for stacks). The handler for this fault can be 
set up to bring the absent segment into real 
memory (swapping or overwriting 
another 
segment if necessary), or to terminate execu- 
tion of the requesting program if this is not 
possible. 


The accessed bit (bit 0) of the access byte is 
provided in both executable and data segment 
descriptors to support segment usage profil- 
ing. Whenever the descriptor is accessed by 
the iAPX 286 hardware, the A-bit will be set 
in memory. 
This applies 
to selector 
test 
instruction (described below) as well as to the 
loading of a segment register. The reading of 
the access byte and the restoration of it with 
the A-bit set is an indivisible operation, i.e., 
it is performed as a read-modify-write with 
bus lock. If an operating system develops a 
profile of segment usage over time, it can 
recognize segments of low or zero access and 
choose 
among 
these 
candidates 
for 
replacement. 


When a not-present segment is brought into 
real memory, the task that requested access 
to it can continue its execution because all 
instructions that load a segment register are 
restartable. 


Not-present exceptions occur only on segment 
register load operations, gate accesses, and 


task switches. The saved instruction pointer 
refers 
to the first 
byte 
of the violating 
instruction. All other aspects of the saved 
machine state are exactly as they were before 
execution of the violating instruction began. 
After the fault handler clears up the fault 
condition and performs an IRET, the program 
continues 
to execute. 
The only external 
indication of a segment swap is the additional 
execution time. 


Code segments intended for use at potentially 
different privilege levels need an attribute that 
permits them to emulate the privilege level of 
the calling task. Such segments are termed 
"conforming" 
segments. 
Conforming 
segments are also useful for interrupt-driven 
error routines that need only be as privileged 
as the routine that caused the error. 


A conforming code segment has bit 2 of its 
access byte set to 1. This means it can be 
referenced by a CALL or JMP instruction in 
a task of equal or lesser privilege, i.e., CPL of 
the task is numerically greater than or equal 
to DPL of this segment. CPL does not change 
when executing the conforming code segment. 
A conforming segment continues to use the 
stack from the CPL. This is the only case in 
which the DPL of a code segment can be 
numerically less than the CPL. If bit 2 is a 0, 
the segment is not conforming and can be 
referenced only by a task of CPL=DPL. 


Inter-segment Returns that refer to conform- 
ing code segments use the RPL field of the 
code selector of the return address to deter- 
mine the new CPL. The RPL becomes the 
new CPL if the conforming code segment 
DPL<RPL. 


.~~~ 
UVIU 
au'y 
pUVIlt:gt: 
level Without restric- 
tion. This is the only exception 
to the protec- 


tion rules. This allows constants 
to be stored 
with conforming 
code. For example, 
a read- 
only 
look-up 
table 
can 
be embedded 
in a 
conforming 
code segment 
that can be used to 
convert system-wide 
logical ID's into charac- 
ter strings that represent 
those logical entities. 


11.2.2 
Expand-Down Data Segments 


If bit 2 in the access byte of a data 
segment 
is 1, the segment 
is an expand-down 
segment. 


All the offsets that reference 
such a segment 
must 
be strictly 
greater 
than 
the 
segment 
limit, as opposed to normal data segments (bit 
2=0) 
where all offsets 
must be less than 
or 
equal to the segment 
limit. Figure 
11-1 shows 
an expand-down 
segment. 


The size of the expand down segment 
can be 
changed 
by changing 
either 
the base or the 
limit. 
An 
expand 
down 
segment 
with 
Limit=O 
will have 
a size of 216-1 
bytes .. 
With 
a limit 
value 
of FFFFH, 
the 
expand 
down segment 
will have a size of 0 bytes. 
In 
an expand 
down segment, 
the base + offset 


- 
+ limit value. Therefore, 
a full size segment 
(216 bytes) can only be obtained 
by using an 
expand up segment. 


The 
operating 
system 
should 
check 
the 
Expanded 
Down bit when a protection 
fault 
indicates 
that the limit of a data segment 
has 
been reached. 
If the Expand 
Down bit is not 
set, the operating 
system should increase 
the 
segment 
limit; if it is set, the limit should be 
lowered. 
This 
supplies 
more 
room 
in either 
case 
(assuming 
the 
segment 
is not 
write- 
protected, 
i.e., that 
bit 
1 is not 0). In some 
cases, if the operating 
system 
can ascertain 
that there 
is not enough 
room to expand 
the 
data 
segment 
to meet 
the need that 
caused 
the fault, it can move the data 
segment 
to a 
region 
of memory 
where 
there 
is enough 
room. See figure 
11-2. 


11.3 
POINTER VALIDATION 


Pointer 
validation 
is an 
important 
part 
of 
locating 
programming 
errors. 
Pointer 
valida- 
tion 
is necessary 
for 
maintaining 
isolation 
between 
the privilege 
levels. Pointer 
valida- 
tion consists of the following steps: 


1. 
Check 
if the 
supplier 
of the 
pointer 
is 
entitled 
to access the segment. 


2. 
Check if the segment 
type is appropriate 
to its intended 
use. 


3. 
Check if the pointer violates the segment 
limit. 


The 
iAPX 
286 
hardware 
automatically 
performs 
checks 
2 and 
3 during 
instruction 
execution, 
while 
software 
must 
assist 
in 
performing 
the 
first 
check. 
This 
point 
is 
discussed 
in section 
11.3.2. 
Software 
can 
explicitly 
perform 
steps 2 and 3 to check for 
potential 
violations 
(rather 
than 
causing 
an 
exception). 
The 
unprivileged 
instructions 
LSL, LAR, VERR, 
and VER Ware 
provided 
for this purpose. 


OLD BASE 


+ OLD LIMIT 


OLD BASE 


The load access rights (LAR) 
instruction 
obtains the access rights byte of a descriptor 
pointed to by the selector used in the instmc- 
tion. If that selector is visible at the CPL, the 
instruction 
loads the access byte into the 
specified destination 
register as the higher 
byte (the low byte is zero) and the zero flag 
is set. Once loaded, the access bits can be 
tested. System segments such as a task state 
segment or a descriptor table cannot be read 
or modified. This instruction is used to verify 
that a pointer refers to a segment of the 
proper privilege level and type. If the RPL or 
CPL is greater than DPL, or the selector is 
outside the table limit, no access value is 
returned 
and 
the 
zero 
flag 
is cleared. 
Conforming code segments may be accessed 
from any RPL or CPL. 


Additional 
parameter 
checking 
can 
be 
performed via the load segment limit (LSL) 
instruction. If the descriptor denoted by the 
given selector (in memory or a register) is 
visible at the CPL, LSL loads the specified 
register with a word that consists of the limit 
field of that descriptor. This can only be done 
for segments, task state segments, and local 


descriptor 
tables (i.e., words from control 
descriptors are inaccessible). Interpreting the 
limit is a function of the segment type. For 
example, 
downward 
expandable 
data 
segments treat the limit differently than code 
segments do. 


For both LAR and LSL, the zero flag (ZF) 
is set if the loading was performed; otherwise, 
the zero flag is cleared. Both instructions are 
undefined in real address mode, causing an 
invalid opcode exception (interrupt #6). 


11.3.1 
Descriptor Validation 


The iAPX 286 has two instructions, VERR 
and VER W, which determine 
whether 
a 
selector points to a segment that can be read 
or written 
at the current 
privilege 
level. 


Neither instruction causes a protection fault 
if the result is negative. 


VERR verifies a segment for reading and 
loads ZF with 1 if that segment is readable 
from the current privilege level. The valida- 
tion process checks that: l) the selector points 
to a descriptor within the bounds of the GDT 
or LDT, 2) it denotes a segment descriptor 


(as opposed to a control descriptor), and 3) 
the segment is readable and of appropriate 
privilege level. The privilege check for data 
segments and non-conforming code segments 
is that the DPL must be numerically greater 
than or equal to both the CPL and the selec- 
tor's RPL. Conforming 
segments 
are not 


checked for privilege level. 


VER W provides 
the same capability 
as 


VERR for verifying 
writability. 
Like the 


VERR instruction, VER W loads ZF if the 
result of the writability check is positive. The 
instruction checks that the descriptor is within 
bounds, is a segment descriptor, is writable, 
and that its DPL is numerically greater or 
equal to both the CPL and the selector's RPL. 
Code segments are never writable, conform- 
ing or not. 


11.3.2 
Pointer Integrity: RPL and the 
"Trojan Horse Problem" 


The Requested Privilege Level (RPL) feature 
can prevent inappropriate use of pointers that 
could corrupt the operation of more privi- 
leged code or data from a less privileged level. 


A common example is a file system proce- 
dure, FREAD (file.-id, nybytes, buffer-ptr). 
This hypothetical procedure reads data from 
a file into a buffer, overwriting whatever is 
there. Normally, FREAD would be available 
at the user level, supplying only pointers to 
the file system procedures and data located 
and operating at a privileged level. Normally, 
such a procedure prevents user-level proce- 
dures from directly changing the file tables. 
However, in the absence of a standard proto- 
col for checking pointer validity, a user-level 
procedure could supply a pointer into the file 
tables in place of its buffer pointer, causing 
the FREAD 
procedure 
to corrupt 
them 


unwittingly. 


By using the RPL, 
you can avoid such 


problems. The RPL field allows a privilege 


attribute to be assigned to a selector. This 
privilege attribute would normally indicate the 
privilege level of the code which generated the 
selector. 
The 
iAPX 
286 
hardware 
will 
automatically check the RPL of any selector 
loaded into a segment register or a control 
register to see if the RPL allows access. 


To guard against invalid pointers, the called 
procedure need only ensure that all selectors 
passed to it have an RPL at least as high 
(numerically) 
as the caller's 
CPL. 
This 


indicates that the selectors were not more 
trusted 
than their supplier. 
If one of the 
selectors is used to access a segment that the 
caller would not be able to access directly, i.e., 
the RPL is numerically greater than the DPL, 
then a protection fault will result when loaded 
into a segment or control register. 


The caller's CPL is available in the CS selec- 
tor that was pushed on the stack as the return 
address. A special instruction, ARPL, can be 
used to appropriately adjust the RPL field of 
the pointer. 
ARPL 
(Adjust 
RPL field of 


selector instruction) adjusts the RPL field of 
a selector to become the larger of its original 
value and the value of the RPL field in a 
specified 
register. 
The latter 
is normally 


loaded from the caller's CS register. If the 
adjustment changes the selector's RPL, ZF is 
set; otherwise, the zero flag is cleared. 


11.4 NPX CONTEXT SWITCHING 


The context of a processor extension (such as 
the 80287 numerics processor) is not changed 
by the task switch operation. A processor 
extension context need only be changed when 
a different task attempts to use the processor 
extension (which still contains the context of 
a previous task). The 80286 detects the first 
use of a processor extension after a task switch 
by causing the processor extension not-present 
exception (#7). The interrupt 
handler may 


then decide whether 
a context 
change 
is 


necessary. 


The 286 services numeric errors only when it 
executes wait or escape instructions because 
the processor extension is running independ- 
ently. The numerics error from one task may 
be recorded when the 286 is running a differ- 
ent task. If the 286 task has changed, it makes 
sense to defer handling that error until the 
original task is restored. For example, inter- 
rupt handlers that use the NPX should not 
have their timing upset by a numeric error 
interrupt that pertains to some earlier process. 
It is of little value to service someone else's 
error. 


If the task switch bit is set (bit 3 of MSW) 
when the CPU begins to execute a wait or 
escape instruction, 
the processor-extension 
not-present 
exception 
results 
(#7). 
The 
handler for this interrupt 
must know who 
currently "owns" the NPX, i.e., the handler 
must know the last task to issue a command 
to the NPX. If the owner is the same as the 
current task, then it was merely interrupted 
and the interrupt handler has since returned; 
the handler for interrupt 7 simply clears the 
TS bit, restores the working registers, and 
returns (restoring interrupts if enabled). 


If the recorded owner is different from the 
current task, the handler must first save the 
existing NPX context in the save area of the 
old task. It can then re-establish the correct 
NPX context from the current 
task's save 
area. 


The code example in figure 11-3 relies on the 
convention that each TSS entry in the GDT 
is followed by an alias entry 
for a data 
segment that points to the same physical 
region of memory that contains the TSS. The 
alias segment also contains an area for saving 
the NPX context, the kernel stack, and certain 
kernel data. That is, the first 44 bytes in that 
segment are the 286 context, followed by 94 
bytes for the processor extension 
context, 


followed in some cases by the kernel stack and 
kernel private data areas. 


The implied convention 
is that 
the stack 
segment selector points to this data segment 
alias so that whenever there is an interrupt at 
level zero and SS is automatically loaded, all 
of the above information 
is immediately 
addressable. 


It is assumed that the program example knows 
about only one data segment that points to a 
global data area in which it can find the one 
word NPX owner to begin the processing 
described. The specific operations needed, and 
shown in the figure, are listed in table 11-1. 


11.5 
MULTIPROCESSOR 
CONSIDERATIONS 


As mentioned in Chapter 
8, a bus lock is 
applied during the testing and setting of the 
task busy bit to ensure that two processors do 
not invoke the same task at the same time. 
However, protection traps and conflicting use 
of dynamically varying segments or descrip- 
tors must be addressed by an inter-processor 
synchronization protocol. The protocol can use 
the indivisible semaphore operation 
of the 
base instruction set. Coordination 
of inter- 
rupt 
and 
trap 
vectoring 
must 
also 
be 
addressed when multiple concurrent proces- 
sors are operating. 


The interrupt 
bus cycles are locked so no 
interleaving occurs on those cycles. Descrip- 
tor caching is locked so that 
a descriptor 
reference cannot be altered while it is being 
fetched. 


When a program changes a descriptor that is 
shared with other processors, it should broad- 
cast this fact to the other processors. This 
broadcasting 
can be done with an inter- 


" •• "" 
Up' 
llIUSl ~nsure tnat the segment 
regis- 


ters, the LDTR 
and the TR, are re-loaded. 
This happens 
automatically 
if the interrupt 
is 


serviced by a task switch. 


Modification 
of 
descriptors 
of 
shared 


segments 
in multi-processor 
systems 
may 
require 
that 
the on-chip 
descriptors 
also be 


updated. 
For example, 
one processor 
may 
attempt 
to mark 
the descriptor 
of a shared 


it. Software 
has to ensure that the descriptors 


in the segment 
register 
caches 
are updated 
with the new information. 
The segment 
regis- 
ter caches 
can be updated 
by are-entrant 
procedure 
that 
is 
invoked 
by 
an 
inter- 
processor 
interrupt. 
The handler 
must ensure 
that the segment 
registers, 
the LDTR and the 
TR, are 
re-loaded. 
This 
happens 
automati- 
cally 
if the 
interrupt 
is serviced 
by a task 
switch. 


LINE 
1 
'1 


2 
3 


4 


5 
6 


7 
8, 


10 
11 
"" 
14 
15 
16 
17 
18 
" 
2' 
21 


22 
"pl_JIVe_lIrta 


23·1 
SeJect 


2 ~ 
kit 
r ne I_c 
ode 


25 
26 


27 
28 
2' 
3' 
31 
32 
33 


34 
35 
36 


37 
38 
39 
40 
" 
42 


43 
" 
45 
46 
"""" 
51 
52 
53 


5 ~ 
kit 
r nel_c 
a d It 
en d, 


.1. 
WARNING 
'160, 
L1HE 
'54, 
SEGI'lEHT 
CONTAINS 
PRIVILEGED 
INSTRUCTIONS 
55 
Hd 


O02e 


0000 


0000 " 
0001 " 
0002 
BS···· 


0005 
8£08 


0007 
orooes 
oooA 
2He 
oooe 
or 06 


DODE " 


ODor 
38060000 
001] 
7412 


0015 
87060000 
001 
9 
050800 
oOlC 
8£08 
001£ 
OD362COO 
OH2 
360D262COO 


0027 
DOn 
1f 


0029 
58 


0029 
cr 


Thl! 
interrupt 
l'IIndltr 
'11111 
,wltch 
the 
NPI 
cantu! 
If 
II 
new 
tllst 


l' 
II tt 
tllP 
t i"9 
to 
u, 
e 
t h It 
HP X 
con 
tel' 
t 
0 f 
an 0 t he r t., k 
• f t It r 
I 
t I' 
k 
,witch, 
If 
the 
NPI 
context 
belong' 
to 
the 
turnn! 
1"k, 
nothing 
h.ppens. 


A 
trap 
glte 
,holJld 
be 
placed 
In 
IDT 
entry 
1 
referring 
to 
thl, 
routlne. 


The 
DPl 
of 
the 
gate 
,hould 
be 
0 
to 
prevent 
'pooflng. 
The 
eode 
Hg_ent 


mu,t 
be 
lit 
privilege 
level 
O. 


Get 
1 d 
0 f 
t h 1, 
t a, k 


Ih_ove 
RPL 
field 


Clear 
tl15t 
!WItched 
flllg 


Ho 
1 n t er 
r up t, 
allowed! 


." 
f'lIve 
fr,tor 


,a_e_ta, 
k: 


al,d,: 
III,t_npl_tll,k 


111,8 


d"al 
d,: 
npl_,aVe_lIrea 


,,: 
npl_,ave_IIrell 


Se 
t 
n tw 
t a, 
kid 
IInd 
ge 
t 
old 


Go 
to 
TSS 
111111' 


Addreu 
TSS 
of 
prevlou, 
"PI 
tll,t 


Save 
0 I d 
HP I 
, tat 
e 


Get 
<: u r r e n t 
HP I 
, tll 
t e 


Step 
Operation 
Line. 


1. 
Save the working registers 
28,29 
2. 
Set up address for kernel work area 
30,31 
3. 
Get current task 10 from Task Register 
32 


4. 
Clear Task Switch flag to allow NPX work 
34 
5. 
Inhibit interrupts 
35 


6. 
Compare owner with current task 10 
37 


If same owner: 
7a. 
Restore working registers 
48,49 
7b. 
and return 
50 


If owner is not 
current task: 


8a. 
Use owner 10 to save old context in its TSS 
42,43,44 
8b. 
Restore context of current task; 
45 
restore working registers; 
46 
and return 
52 
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iAPX 286 SYSTEM INITIALIZATION 


ttltl.('swltch 
the 
80286 
from 
R.al 
Addr 
••• 
Mod. 
to 
Prot.ct.d 
Mod.') 
name 
.wltch 
80286_mod 
•• 
public 
Idt_d 
•• 
c,gdt_d 
•• 
c 


Switch 
Ih. 
80286 
from 
r.al 
addr 
••• 
mod. 
Inlo 
prot.cl.d 
mod •. 


Th. 
Inilial 
EPROM 
GOT, 
lOT, 
Tss, 
and 
LOT 
(If 
any) 
con.lruct.d 
by 
BL0286 
will 
b. 
copl.d 
from 
EPROM 
Inlo 
RAM. 
Th. 
RAM 
ar.a. 
are 
d.fln.d 
by 
dala 
'.gm.nl. 
allocal.d 
a. 
flx.d 
.nlrl 
•• 
In 
the 
GOT. 
Th. 
CPU 
r.gl.t.r. 
for 
Ih. 
GOT, 
lOT, 
Tss, 
and 
LOT 
will 
b ••• 
1 
10 
polnl 
at 
the 
RAM-ba 
•• 
d 


•• 
gm.nl 
•. 
Th. 
ba •• 
fl.ld. 
In 
Ih. 
RAM-ba 
•• 
d 
GOT 
will 
al.o 
b. 
updal.d 
10 
polnl 
al 
Ih. 
RAM-ba 
•• 
d 
•• 
gm.nl 
•. 


Thl. 
cod. 
I. 
u •• 
d 
by 
adding 
II 
10 
Ih. 
11.1 
of 
obj.cl 
modul 
•• 
glv.n 
10 
BL0286. 
BL0286 
mu.1 
Ih.n 
b. 
lold 
10 
plac. 
Ih ••• 
gm.nl 


Inll_cod. 
al 
addr 
••• 
FFFE10H. 
Ex.cullon 
of 
Ih. 
mod •• 
wllch 
cod. 
b.gln. 


afl.r 
RESET. 
Thl. 
happ.n. 
b.cau 
•• 
Ih. 
mod. 
,wllch 
cod. 
will 
.Iart 
al 
phy.lcal 
addr 
••• 
FFFFFOH, 
which 
I. 
Ih. 
pow.r 
up 
addr 
•••. 
Thl. 
cod. 
Ih.n 


•• 
1. 
up 
RAM 
copl.' 
of 
Ih. 
EPROM-ba 
•• 
d 
•• 
gm.nl. 
b.for. 
lumping 
10 
Ih. 


Inilial 
la.k 
plac.d 
at 
a 
flx.d 
GOT 
.nlry. 
Afl.r 
Ih. 
Jump, 
Ih. 
CPU 


.xocul 
•• 
In 
Ih •• 
Ial. 
of 
Iho 
flr.t 
la.k 
d.fln.d 
by 
BL0286. 


Thl. 
cod. 
will 
nol 
u.o 
any 
of 
Ih. 
EPROM-ba 
•• 
d 
labl 
•• 
dlr.clly. 


Such 
u •• 
would 
r •• 
ull 
In 
Ih. 
80286 
wriling 
Inlo 
EPROM 
10 
•• 
1 


Ih. 
A 
bll. 
Any 
u •• 
of 
a 
GOT 
or 
Tss 
will 
alway. 
b. 
In 
Ih. 
RAM 
copy. 
Th. 
Ilmil 
and 
.Iz. 
of 
the 
EPROM-ba 
•• 
d 
GOT 
and 
lOT 
mu.1 
b •• 
tor.d 
al 
Ih. 
publiC 
.ymbol. 
ldl_do.c 
and 
gdl_d 
•• 
c. 
Th. 
location 
command. 
of 
BL0286 


provld. 
Ihl. 
funcllon 


Inl.rrupt. 
are 
d1!abl.d 
during 
Ihl. 
mod. 
,wllchlng 
cod 
•• 
Full 
.rror 


ch.cklng 
i. 
mad. 
of 
Ih. 
EPROM-ba 
•• 
d 
GOT, 
lOT, 
Tss, 
and 
LOT 
10 
a •• 
ur. 


Ih.y 
are 
valid 
b.for. 
copying 
Ih.m 
10 
RAM. 
If 
any 
of 
Ih. 
RAM-bo 
•• 
d 


alia 
••• 
gm.nl. 
are 
.mall.r 
Ihan 
Ih. 
EPROM 
•• 
gm.nl. 
Ih.y 
are 
10 
hold, 
hall 
or 
.huldown 
will 
occur. 
In 
g.n.ral, 
any 
.xc.pllon 
or 
HMI 
will 
cau 
••• 
huldown 
10 
occur 
unlll 
Ih. 
flr.t 
la.k 
I. 
Invok.d. 


If 
the 
RAM 
•• 
gm.nl 
I. 
larg.r 
Ihan 
the 
EPROM 
•• 
gm.nl, 
Ih. 
RAM 
•• 
gm.nt 
will 
b •• 
xpand.d 
with 
z.ro 
•. 
If 
Ih. 
Initial 
Tss 
.p.clfl 
•• 
an 
LOT, 
Ih. 
LOT 
will 
a150 
b. 
copl.d 
Inlo 
Idl_alla. 
with 
z.ro 
fill 
If 
n •• 
d.d. 
Th. 
EPROM-bo 
•• 
d 
or 
RAM-ba 
•• 
d 
GOT, 
lOT, 
Tss, 
and 
LOT 
•• 
gm.nt. 
may 
b. 
locat.d 


anywh.r. 
In 
phY'lcal 
m.mory. 


Form 
on 
odJu.lm.nl 
foclor 
from 
Ih. 
r.ol 
CS 
bo •• 
of 
FFOOOOH 
10 
Ih • 
•• 
gm.nl 
bo •• 
oddr 
••• 
o •• 
um.d 
by 
ASM286. 
Any 
dolo 
r.f.r.nc. 
mod. 


lnlo 
CS 
mu.1 
odd 
on 
lnd.xlng 
I.rm 
IBPI 
10 
comp.n.ol. 
for 
Ih. 
dlff.r.nc. 
b.lw 
•• 
n 
Ih. 
off 
•• 
1 
9.n.rol.d 
by 
ASM286 
ond 
Ih. 
off 
•• 
1 
r.qulr.d 
from 
Ih. 
bo •• 
of 
FFOOOOH. 


• lor 
I 
pro 
c 


co I I 
• lor 
I 1 
• lor 
I 1 : 


pop 
bp 


• u b 
bp,off 
•• 
1 
• lor 
I 1 


11 d I 
lnlllol_9dl1bpl 


Th. 
volu. 
of 
IP 
01 
run 
11m. 
will 
nol 
b • 


Ih •• 
om. 
o. 
Ih. 
on. 
u,.d 
by 
ASM286! 
G.I 
Iru. 
off 
•• 
1 
of 
.Iorll 


Sublrocl 
ASM286 
off 
•• 
1 
of 
.lort1 


l.ovlng 
odJu.lm.nl 
foclor 
In 
BP 
S.lup 
null 
lOT 
10 
fore 
•• 
huldown 


on 
ony 
prol.cllon 
.rror 
or 
lnl.rrupl 


.1,lnlllol_gdllbpJ 
Solup 
polnl 
•• 
10 
I.mporory 
GOT 
I.mplol. 
In 
EPROM 
ex, 
( • n d_g 
d I - 1 nil 
10 1_9 
d I ) I 2 
S. 
I 
I. 
n 9 I h 


."word 
plr 
IdlJ,c"r.1J; 
Pul 
lnlo 
r ••• 
rv.d 
RAM or.o 


Look 
for 
80287 
proc 
•• 
,or 
.xl.n.lon. 
Anum. 
oil 
on •• 
will 
b. 
r.od 


If 
on 
80287 
1. 
not 
pr 
••• 
n!. 


f n 1 nil 
mov 
f • I •w 
or 
j n z 


•• 
I_mod.: 


5 m s w 
or 
or 


Imsw 


J m p 


b x , EM 


ox 
00 I ,01 
•• 
t_mod. 


Inllioliz. 
80287 
if 
pr 
••• 
nl 


A •• 
um. 
no 
80287 
Look 
01 
.Iolu. 
of 
80287 
Ho 
.rror 
•• 
hould 
b. 
pr 
••• 
nl 


Jump 
If 
no 
80287 


ox 
ox, 
P E 
ax,bx 
ox 


• 
+ 2 


G.I 
curr.nl 
MSW 
S.I 
PE 
bll 
Sol 
HPX 
.tolu. 
flog. 
Enl.r 
prol.cl.d 
mod.! 
CI.or 
qu.u. 
of 
in.lrucllon. 
d.cod.d 


whll. 
In 
R.ol 
Addr 
••• 
Mod. 
CPL 
i. 
now 
0, 
CS 
.1111 
polnl. 
01 


FFFE10 
In 
phy.lcol 
m.mory 


D.fln. 
Ih. 
l.mpl.l. 
for. 
I.mpor.ry 
GOT 
u •• 
d 
10 
10c.l. 
Ih. 
Inlll.1 
GOT 
.nd 
.I.ck. 
Thl. 
d.l. 
will 
b. 
copl.d 
10 
loc.llon 
O. 


Thl5 
'p.c. 
I •• 
1.0 
u •• 
d 
for. 
I.mpor.ry 
.I.ck 
.nd 
fln.lly 
•• 
rv •• 


•• 
Ih. 
T55 
wrlll.n 
Inlo 
wh.n 
.nl.rlng 
Ih. 
Inlll.1 
T55. 


Inlll.l_gdl 
gdl_d 
•• 
c 
Idl_d 
•• 
c 
I.mp_d 
•• 
c 


d •• 
c 


d •• 
c 


d •• 
c 


d •• 
c 


Filler 
.nd 
null 
lOT 
d •• 
crlplor 
D•• 
crlplor 
for 
EPROM 
GOT 
D•• 
crlplor 
for 
EPROM 
lOT 
T.mpor.ry 
d •• 
crlplor 


D.fln 
•• 
d •• 
crlplor 
Ih.1 
will 
polnl 
Ih. 
GOT 
.1 
loc.llon 
O. 
Thl. 
d •• 
crlplor 
will 
.1.0 
b. 
lo.d.d 
Inlo 
55 
10 
d.fln. 
Ih. 
Inlli.1 
prol.cl.d 
mod •• 
I.ck 
•• 
gm.nl. 


D.fln. 
Ih. 
T55 
d •• 
crlplor 
u •• 
d 
10 
.Ilow 
Ih. 
I •• 
k 


flr.1 
I •• 
k 
10 
ov.rwrll. 
Ihl. 
r.glon 
of 
m.mory. 
Th. 


Ih. 
init"I.1 
GOT 
.nd 
.I.ck 
.1 
loc.lion 
O. 


I •• 
k_.nlry 
T55_.01 
T55_.II 
•• 
LDT_.11 
•• 
I •• 
k_.nlry 


r ••• 
I_.I.rlup: 


c I I 
c 1 d 


.wllch 
10 
Ih. 
T55 
will 
overl.y 


dword 
O,.I.rl_I 
•• 
k 


! t rue 
dw 
dw 
d w 


end 
!5 


D.fin. 
I.youl 
of 
I •• 
k 
d •• 
crlpllon 


5.l.clor 
for 
T55 
0.1 
••• 
gm.nl 
.11 
•• 
for 
T55 
0.1 
••• 
gm.nl 
.11 
•• 
for 
LOT 
If 
.ny 


d I • d 1 


d •• 
d 1 


e!5 
I d 1 


••• 
d I 


• P , • n d_g 
d I • I n I I I. 
I_g 
d I 


No 
Inl.rrupl 
•• 
Ilow.d! 


U5e 
8utolncrement 
mode 
Polnl 
E5:DI 
.1 
phplc.l 
.ddr 
••• 
OOOOOOH 


d •• 
c 


I 1m it 
bo •• _low 
bo •• _hlgh 


ecce55 
r •• 


d •• 
c 


Off 
•• 
t 
of 
lo.t 
byte 
in 
•• 
gm.nt 


Low 
16 
bit. 
of 
24-bll 
oddr 
••• 
High 
8 
bit. 
of 
24-blt 
oddr 
••• 
Acc 
••• 
right. 
byte 
Re!5l!rved 
word 


D.fln. 
tho 
fix.d 
GDT 
•• 
I.ctor 
volu 
•• 
for 


d.fin. 
tho 
EPRDM-bo 
•• 
d 
tobl 
••. 
BLD286 
mu,t 


oppropriot. 
d •• 
criptor. 
Into 
tho 
GDT. 


, t rue 
dw 
dw 
db 


db 
dw 
.nd. 


tho 
d •• 
criplor. 
that 


b. 
in.truct.d 
10 
ploc. 


gdt_ol 
la, 
• qu 
1 • , i z e 
d •• 
c 
GDT< 1) 
i • 
dot 
a 
'.gm.nt 
i n 
RAM 
for 
GDT 
i d t_o 
I 10' 
• qu 
2 f • i z • 
d •• 
c 
GDT ( 2 ) 
i • 
dot 
a 
•• 
gm.nl 
i n 
RAM 
for 
I DT 


, tor 
1_ T S S_o 
I I a , 
• qu 
3 f ! i z e 
d. 
, c 
GDT(3) 
I • 
d a I a 
•• 
gm.nl 
i n 
RAM 
for 
TSS 
• lor 
1_ 10' 
k 
.qu 
'4. 
!5 i z e 
d. 
, c 
GDT< 4) 
i , 
T S S 
for 
.torling 
10' 
k 
, lor 
I _L DT_a 
I 10' 
.qu 
Sf. 
i z. 
d •• 
c 
GDT<S) 
i , 
d a I a 
•• 
gm.nl 
1 n 
RAM 
for 
LDT 


D.fln. 
mochln. 
• lot 
u , 
w 0 r d 
bit 
po'llion 
•. 


DT_ACCESS 
DS_ACCESS 


TSS_ACCESS 
DPL 
ACCESSED 


T I 
TS S_S 
I ZE 
LDT_OFFSET 
TIRPL_MASK 


Prol.cllon 
.nobl. 
Monitor 
processor 
extension 


Emul!lte 
proces50r 
extension 


on 
LDT 


data 
'.gm.nl 


I.v.l 
0, 
wrll.obl. 


on 
idl. 
TSS 
of 
occ." 
right. 


8 1 H 
60H 


1 


4 
44 
H 
! 1 z e 


Acc ••• 
byte 
volu. 
for 
Acc.,. 
byte 
volu. 
for 
which 
I' 
grow 
up. 
at 
Acc 
••• 
byte 
volu. 
for 
Prlvll.g. 
l.v.1 
fl.ld 
D.fin. 
occ 
•• 
,.d 
bit 
Po,itlon 
of 
TI 
bit 
Siz. 
of 
a 
TSS 


Po,lllon 
of 
LDT 
In 
TSS 
TI 
and 
RPL 
fl.ld 
mo,k 


Po" 
control 
from 
tho 
pow.r-up 
oddr 
••• 
to 
tho 
mod. 
,witch 
cod 
•. 


Th ••• 
gm.nt 
containing 
thl, 
cod. 
mu.1 
b. 
at 
phy,lcol 
oddr 
•• 
, 
FFFE10H 
to 
ploc. 
tho 
JMP 
In,tructlon 
at 
phY'icol 
oddr 
••• 
FFFFFOH. 
Th. 
bo •• 


oddr." 
I' 
cho,.n 
according 
to 
Ih. 
,Iz. 
of 
thl 
••• 
gm.nl. 


OFE10H 
OF FF 0 H- c '_0 
f f,. 
t; 


r ••• 
t_. 
tor 
t up 


Low 
16 
bit. 
of 
.torllng 
oddr." 
Slort 
at 
oddr 
••• 
FFFFFOH 
Do 
not 
chong. 
CS! 


Copy 
the 
T55 
and 
LOT 
for 
the 
ta.k 
If 
the 
ta.k 
ha. 
an 
LOT 
It 
will 
al.o 
SX 
and 
SP 
are 
Iran.parenl. 


pointed 
at 
by 
C5:Sx' 


be 
copied 
down. 


b a d_ t •• : 


hit 
copy_ta.k. 


.I,gdl_alla. 
d. 
, • I 
• I , c. 
: [ b x J • I •• _a 
II 
a. 
e! • ! 1 


I 
X , !I 1 
• I , c. 
: [ b x J • t •• _. e I 
d x , • I 
bad_t 
•• 


d I , d h 
dh,nolOPL 
dh, 
T55_ACCE55 
bad_t 
•• 


Get 
.elector 
for 
T55 
.lla. 
Polnl 
E5 
at 
alia. 
dala 
.egment 
Get 
length 
of 
T55 
alia. 
Get 
T55 
.eleclor 
Get 
alia. 
acce 
•• 
rlghl. 
Jump 
If 
Invalid 
reference 


Save 
T55 
de.crlplor 
acce 
•• 
byle 
Ignore 
privilege 
See 
If 
T55 
Jump 
If 
nol 


Get 
length 
of 
EPROM 
ba.ed 
T55 
Verify 
It 
I. 
of 
proper 
.I.e 
Jump 
If 
It 
I. 
not 
big 
enough 


Setup 
for 
moving 
the 
EPROM-ba.ed 
T55 
10 
RAM 
05 
polnl. 
al 
GOT 


mov 
mov 
c a I I 


ex, 
!I 1 


ex. 
T 5 5_5 
I Z E - 1 
b a d_I •• 


[ • I J 
• ace 
e ••• 
0 5_A C CE 55 
d. 
, • I 
copy_wI 
th_f 
III 


Make 
T55 
Into 
dala 
.egmenl 
Polnl 
05 
al 
EPROM 
T55 
Copy 
05 
.egmenl 
10 
E5 
wllh 
.ero 
fill 


CX 
ha. 
copy 
counl, 
AX-CX 
fill 
count 


mov 
mov 
mov 
mov 
mov 


lI'IOV!iW 


mov!lw 
lod.w 
mov 
.to.w 


movsw 


a x , 9 d I_a 
I I a • 


d!l 
, ex 


e!l 
, B X 
d I • c. 
: [ b x I • I •• 
_. 
e I 
• I , c. 
: [ b x J 
• I •• _a 
I I a. 
Gel 
T55 
.eleclor 
Gel 
RAM 
alia 
•• 
eleclor 
Copy 
Ilmil 
Copy 
low 
16 
bll. 
of 
addre 
•• 
Gel 
high 
8 
bll. 
of 
addre 
•• 
Mark 
a. 
T55 
de.crlplor 
Fill 
In 
high 
addre 
•• 
and 
acce 
•• 
byle. 
Copy 
re.erved 
word 


mov 
x 0 r 
I I d t 


.A, 
•• mp_.lock-Inltlol_gdt 


5!1 , ex 
ex, 
D X 


a x 


a x , • a v e_t 
•• 
- I nit 
I a I_g 
d t 


a x 


Setup 
55 
with 
valid 
protected 
mode 
.elector 
to 
the 
RAM 
GOT 
and 
.tock 
Sol 
the 
current 
LOT 
to 
null 


Any 
reference. 
to 
It 
will 
cou.e 
on 
exception 
cou.lng 
.hutdown 
Set 
Initial 
TSS 
Into 
the 
low 
RAM 
The 
to.k 
.wltch 
need. 
a 
valid 
TSS 


Copy 
the 
EPROM-bo.ed 
GOT 
Into 
the 
RAM 
data 
.egment 
olio 
•• 


Flr.t 
the 
de.crlptor 
for 
the 
RAM 
data 
.egment 
mu.t 
be 
copied 
Into 


the 
temporary 
GOT. 


mov 
a x, 
9 d t_d 
e. 
c [ b P J • I I m I t 


em p 
ex,6·s1z! 
de. 
c - 1 


J b 
bod_gdt 


mov 
b x, 
9 d t_d 
e. 
c - I nit 
I ol_g 
d t 


mov 
.I,gdt_ollo. 


co 
1 I 
copy_EPROM_dt 


mov 
• I , I d t_o 
I 10. 


mov 
b x, 
I d t_d 
e. 
c - I nit 
10 I_g 
d t 


c a I 1 
copy_EPROM_dt 


mov 
a x, 
9 d t_d 
e. 
c - I nit 
10 1_9 
d t 


mov 
d!l,8X 
mov 
bx,gdt_oIIO' 


19 d t 
r b x J 


Get 
.Ize 
of 
GOT 
Be 
.ure 
the 
lo.t 
entry 
expected 
by 
thl. 
code 
I. 
In.lde 
the 
GOT 


Jump 
If 
GOT 
I. 
not 
big 
enough 


Form 
.elector 
to 
EPROM 
GOT 
Get 
.elector 
of 
GOT 
olio. 
Copy 
Into 
EPROM 
Get 
.elector 
of 
lOT 
olio. 
Indicate 
EPROM 
lOT 


Get 
GOT 
olio. 
data 
.egment 
.elector 
Set 
GOT 
to 
RAM 
GOT 
55 
and 
TR 
remain 
In 
low 
RAM 


I eo 
copy_to.k_loop: 
c a I I 
odd 


copy_to.k. 
bx,.lze 
to.k_entry 
a x, c. : [ b xl. 
t •• _. 
e 1 


or 
BX,ex 


lnz 
copy_to.k_loop 


Copy 
them 
Into 
RAM 
Go 
to 
next 
entry 
See 
If 
there 
I. 
another 
entry 


mov 
mov 
mov 
II 
d t 
l m p 


bx,gdt_ollo. 
d. 
, b x 


b x , I d t _a 
I I a • 
r b x J 
• tor 
t_p 
0 I n t err 
b p J 


Get 
lOT 
olio. 
data 
.egment 
.elector 


Set 
lOT 
for 
error. 
and 
Interrupt. 
Start 
the 
flnt 
to.k! 
The 
low 
RAM 
area 
I. 
overwritten 
with 
the 
current 
CPU 
context 


Te.t 
the 
de.crlptor 
table 
.Ize 
In 
AX 
to 
verify 
that 
It 
I. 
an 


even 
number 
of 
de.crlptor. 
In 
length, 


t e. 
t_d 
t_11 
m It 
pro 
C 


p u • h 
ax 
Save 
I en 9 t h 


and 
a I ,7 
L 0 0 k 
at 
low 
order 
bit. 


cmp 
a I , 7 
Mu • t 
be 
a II 
ones 


pop 
a x 
Re.tore 
I e n 9 t h 


J n e 
bad_dt_Ilmlt 


r e t 
A 1 I 
OK 


bad_dt_Ilml 
t: 


hit 
Die! 


te.t_dt_Ilmlt 
endp 


Copy 
the 
EPRDM 
DT 
at 
.elector 
ex 
In 
the 
temporary 
GDT 


data 
.egment 
at 
.elector 
51. 
Any 
Improper 
de.crlptor. 
or 


will 
cau.e 
.hutdown! 


mov 
mov 
mov 
pu.h 
lod.w 
c a I 1 


• to. 
w 


movsw 


mov!w 


mov!w 


8 X 
I 
5 ! 
e! , I!I X 


e. 
: r b xl, 
ace 
e ••• 
D s_A 
C C E 5 5 ; 


e •• 
rbxl,re.,O 


a x 
I b x 


C X 
I ex 
te.t_dt_Ilmi 
t 


d I. 
9 d t_d 
e. 
c - I nit 
I a I_g 
d t 
d. 
, d I 
d I , t em p_d 
e • c - I nit 
I a I_g 
d t ; 


d I 


Mark 
de.crlptor 
a. 
a 
data 
.egment 


Cleer 
reserved 
word 
Get 
limit 
of 
EPROM 
DT 
Save 
for 
later 


Verify 
it 
I. 
a 
proper 
limit 
Addre 
•• 
EPROM 
GDT 
In 
Ds 


Get 
.elector 
for 
temporary 
de.crlptor 


Save 
off.et 
for 
later 
u.e 
a •• 
elector 


Get 
alia 
•• 
egment 
.Ize 
Verify 
It 
I. 
an 
even 
multiple 
of 


de.criptor. 
in 
length 
Put 
length 
into 
temporary 
Copy 
remaining 
entrle. 
Into 
temporary 


Es 
now 
point. 
at 
the 
GDT 
alia. 
area 
Ds 
now 
point. 
at 
EPROM 
DT 
a. 
data 
Copy 
.egment 
to 
alia. 
with 
zero 
fill 
CX 
I. 
copy 
count, 
AX-CX 
Is 
fill 
count 


Fall 
Into 
COPy_wlth_flll 


See 
If 
0 
volld 
LOT 
I' 
'peel 
fled 
for 
Ihe 
,Iorlup 
lo,k 


If 
'0 
Ihen 
copy 
Ihe 
EPROM 
ver,lon 
Inlo 
Ihe 
RAM 
olio 
•• 


p u , h 
lor 
1 n z 


mov 
mov 
I, I 
co I I 
mov 


mov 
mov 
I , I 
coli 
co I I 


pop 
mov 
mov 
mov 


mOV!lw 


mov!lw 


I 0 d , w 
mov 
, I 0 , w 


mov!lw 


rei 
bod_ldl: 
h I I 


d, 
• c , : [ b xl. 
I , '_0 
I I 0 , 
,I.d"word 
plr 
LOT_OFFSET 
,I,nol 
TIRPL_MAsK 


no_I 
d I 


Ignore 
TI 
5 kip 
I hi, 
ond 
RPL 


If 
no 
LOT 
u,ed 


sove 
LOT 
,eleclor 
Te,1 
de,crlplor 
Jump 
If 
Involld 
,eleclor 


d I , d h 
dh,nol 
OPL 
dh, 
OT_ACCEss 


bod_ldl 


sove 
LOT 
de,crlplor 
occe" 
byle 
Ignore 
privilege 
ae 
'ure 
II 
I' 
on 
LOT 
de,crlplor 
Jump 
If 
Involld 


e, : [ , I l .0 c c e, , .0 
s_A 
C C E 5 5 ; 


d, 
• , I 


a x , !I i 
Ie, 
I_d 
I_11m 
II 


Mork 
LOT 
0' 
dolo 
,egmenl 
Polnl 
OS 
01 
EPROM 
LOT 
Gel 
LOT 
Ilmil 
Verify 
II 
I' 
volld 
sove 
for 
loler 


, I • c, 
: [ b x J 
• I d 1_0 
I 10' 
e! , !I 1 
a x , !I 1 
Ie, 
I_d 
I_I 
I m II 
copy_wllh_f 
III 


Gel 
Idl 
olio, 
,eleclor 


Polnl 
Es 
01 
olio, 
,egmenl 
Gel 
lenglh 
of 
olio, 
.egmenl 


Verify 
II 
I' 
volld 
Copy 
LOT 
lnlo 
RAM 
olio, 
,egmenl 


,1 
• c, 
: [ b xl. 
I d 1_0 
I 10' 
d I 
ox, 
9 d 1_0 
I I 0 , 


dS,8X 


e!l 
, a x 


Re,lore 
LOT 
olio, 
,eleclor 


Re,lore 
LOT 
.eleclor 


Re,lore 
GOT 
oddre,.lng 


Move 
Ihe 
RAM 
LOT 
Ilmil 


Move 
Ihe 
low 
16 
bll, 
ocro" 


Gel 
Ihe 
high 
8 
bll, 
Mork 
0' 
LOT 
de,crlplor 
sel 
high 
oddre" 
ond 
occe" 
righi, 


Copy 
re,erved 
word 


Copy 
tho 
.ogmont 
at 
DS 
to 
tho 
.ogmont 
at 
ES 
for 
longth 
CX. 


Fill 
tho 
ond 
with 
AX-CX 
zoro 
•• 
U.o 
word 
oporatlons 
for 
spood 
but 


allow 
odd 
by 
to 
oporatlons. 


xor 
xor 


• u b 
add 
r c r 


rop 
mOV5W 


xchg 


J n c 


mov!b 
or 


J z 


• to. 
b 
doc 
ovon_copy: 


• h r 


rop 
.to.w 


J n c 


• to. 
b 


o x I t_c 
0 P Y : 


rot 


5 1 
I 
!5 1 


d I • d I 
e x I ex 
ex, 
1 


C X 
I 1 


Form 
fill 
count 
Convort 
limit 
to 
count 
Allow 
full 
64K 
movo 


Copy 
DT 
Into 
alia. 
aroa 
Got 
fill 
count 
and 
zoro 
AX 


Jump 
if 
ovon 
by 
to 
count 
on 
copy 


Evon 
out 
tho 
.ogmont 
off.ot 
AdJu.t 
romalnlng 
fill 
count 


Form 
word 
count 
on 
fill 
Cloar 
unusod 
word. 
at 
ond 
Exit 
If 
no 
odd 
by 
to 
romaln. 


Appendix 
B 
The iAPX 286 Instruction Set 


Opcode 
8-1 
Instruction 
8-5 
Clocks 
8-6 
Description 
8-6 
Flags Modified 
8-6 
Flags Undefined 
8-6 
Operation 
8-6 
Protected Mode Exceptions 
8-6 
Real Address Mode Exceptions 
8-7 


Protection Exceptions 
8-7 


Error Codes 
8-7 
#DF8 Double Fault (Zero Error Code) 
8-8 
#GP 13 General Protection 
(Selector or Zero Error Code) 
8-8 
#MF 16 Math Fault (No Error Code) 
8-8 
#MP 9 Math Unit Protection Fault 


(No Error Code) 
8-9 
#NM 7 No Math Unit Available 
(No Error Code) 
8-9 
#NP 11 Not Present 
(Selector Error Code) 
8-9 
#SS 12 Stack Fault (Selector or Zero 


Error Code) 
....................•.................... 8-10 
#TS 10 Invalid Task State Segment 


(Selector Error Code) 
8-10 
#UD 6 Undefined Opcode 
(No Error Code) 
8-11 


Privilege Level and Task Switching 


on the iAPX 286 
8-11 


AAA-XOR 
8-14 thru 8-111 


APPENDIX B 
THE iAPX 286 INSTRUCTION SET 


This section presents the iAPX 286 instruc- 
tion set using Intel's ASM286 notation. All 
possible operand types are shown. Instruc- 
tions are organized alphabetically according 
to generic operations. Within each operation, 
many different 
instructions 
are possible 
depending on the operand. The pages are 
presented 
in a standardized 
format, 
the 


elements 
of which 
are described 
in the 


following paragraphs. 


Ope ode 


This column gives the complete object code 
produced for each form of the instruction. 
Where 
possible, 
the codes 
are given 
as 
hexadecimal bytes, presented in the order in 
which they will appear in memory. Several 
shorthand conventions are used for the parts 
of instructions which specify operands. These 
conventions are as follows: 


m: (n is a digit from 0 through 7) A ModRM 
byte, plus a possible immediate and displace- 
ment field follow the opcode. See figure B-1 
for the encoding of the fields. The digit n is 
the value of the REG field of the ModRM 
byte. To obtain 
the possible hexadecimal 


values for / n, refer to column n of table B-1. 
Each row gives a possible value for the effec- 
tive address operand to the instruction. The 
entry at the end of the row indicates whether 
the effective address operand is a register or 
memory; if memory, the entry indicates what 
kind of indexing and/or displacement is used. 
Entries with D8 or D16 signify that a one- 
byte or two-byte 
displacement 
quantity 


immediately followsthe ModRM and optional 
immediate field bytes. The signed displace- 
ment is added to the effective address offset. 


If: A ModRM 
byte that contains 
both a 


register operand 
and an effective 
address 


operand, followed by a possible immediate 
and displacement field. See figure B-2 for the 
encoding of the fields. The ModRM 
byte 
could be any value appearing in table B-1. 
The 
column 
determines 
which 
register 
operand was selected; the row determines the 
form of effective address. If the row entry 
mentions D8 or D 16, then a one-byte or two- 
byte displacement follows, as described in the 
previous paragraph. 


cb: A one-byte signed displacement 
in the 
range of - 128 to + 127 follows the opcode. 
The displacement is sign-extended to 16 bits, 
and added modulo 65536 to the offset of the 
instruction FOLLOWING 
this instruction to 
obtain the new IP value. 


cw: A two-byte displacement is added modulo 
65536 
to 
the 
offset 
of the 
instruction 
FOLLOWING 
this instruction to obtain the 
new IP value. 


cd: A two-word pointer which will be the new 
CS:IP value. The offset is given first, followed 
by the selector. 


db: An immediate 
byte 
operand 
to the 
instruction 
which follows the opcode and 
ModRM bytes. The opcode determines if it is 
a signed value. 
. 


dw: An immediate 
word operand 
to the 
instruction 
which follows the opcode and 
ModRM bytes. All words are given in the 
iAPX 286 with the low-order byte first. 


+rb: A register code from 0 through 7 which 
is added to the hexadecimal byte given at the 
left of the plus sign to form a single opcode 
byte. The codes are: AL=O, CL= 1, DL=2, 
BL=3, AH=4, 
CH=5, 
DH=6, 
and BH=7. 


mod 
Displacement 


00 
015P = 0(2), disp-Iow 
and disp-high 
are absent 
01 
015P = disp-Iow 
sign-extended 
to 16-bits, 
disp-high 
is absent 


10 
015P = disp-high: 
disp-Iow 


11 
rim is treated 
as a "reg" 
field 


rim 


[ 
Operand 
Address 


000 
(BX) + (51) + 015P 
001 
(BX) + (01) + 015P 
010 
(BP) + (51) + 015P 


011 
(BP) + (01) + 015P 
100 
(51) + 015P 


101 
(01) + 015P 


110 
(BP) + 015P(2) 
111 
(BX) + 015P 


NOTES: 


1. Opcode 
indicates 
presence 
and size of immediate 
value. 


2. Except 
if mod=OO 
and r/m=110 
then EA=disp-high: 
disp-Iow. 


Rb 
= 
AL 
CL 
OL 
BL 
AH 
CH 
OH 
BH 
Rw 
= 
AX 
CX 
OX 
BX 
8P 
BP 
81 
01 
REG 
= 
0 
1 
2 
3 
4 
5 
6 
7 


ModRM values: 
Effective address: 


00 
08 
10 
18 
20 
28 
30 
38 
[BX + 81] 
01 
09 
11 
19 
21 
29 
31 
39 
[BX + 01] 
02 
OA 
12 
1A 
22 
2A 
32 
3A 
[BP + 81] 
03 
OB 
13 
1B 
23 
2B 
33 
3B 
[BP + 01] 
04 
OC 
14 
1C 
24 
2C 
34 
3C 
[81] 
05 
00 
15 
10 
25 
20 
35 
3D 
[01] 
06 
OE 
16 
1E 
26 
2E 
36 
3E 
016 (simple var) 
07 
OF 
17 
1F 
27 
2F 
37 
3F 
[BX] 
40 
48 
50 
58 
60 
68 
70 
78 
[BX + 81] + 08(1) 


41 
49 
51 
59 
61 
69 
71 
79 
[BX + 01] + 08 
42 
4A 
52 
5A 
62 
6A 
72 
7A 
[BP + 81] + 08 
43 
4B 
53 
5B 
63 
6B 
73 
7B 
[BP + 01] + 08 
44 
4C 
54 
5C 
64 
6C 
74 
7C 
[81] + 08 
45 
40 
55 
50 
65 
60 
75 
70 
[01] + 08 
46 
4E 
56 
5E 
66 
6E 
76 
7E 
[BP] + 08(2) 


47 
4F 
57 
5F 
67 
6F 
77 
7F 
[BX] + 08 
80 
88 
90 
98 
AO 
A8 
BO 
B8 
[BX + 81] + 016(3) 


81 
89 
91 
99 
A1 
A9 
B1 
B9 
[BX + 01] + 016 
82 
8A 
92 
9A 
A2 
AA 
B2 
BA 
[BP +81] + 016 
83 
8B 
93 
9B 
A3 
AB 
B3 
BB 
[BP + 01] + 016 
84 
8C 
94 
9C 
A4 
AC 
B4 
BC 
[81] + 016 
85 
80 
95 
90 
A5 
AD 
B5 
BO 
[01] + 016 
86 
8E 
96 
9E 
A6 
AE 
B6 
BE 
[BP] + 016(2) 


87 
8F 
97 
9F 
A7 
AF 
B7 
BF 
[BX] + 016 
CO 
C8 
DO 
08 
EO 
E8 
FO 
F8 
Ew=AX 
Eb=AL 


C1 
C9 
01 
09 
E1 
E9 
F1 
F9 
EW=CX 
Eb=CL 


C2 
CA 
02 
OA 
E2 
EA 
F2 
FA 
Ew=OX 
Eb=OL 


C3 
CB 
03 
DB 
E3 
EB 
F3 
FB 
Ew=BX 
Eb=BL 


C4 
CC 
04 
DC 
E4 
EC 
F4 
FC 
Ew=8P 
Eb=AH 
C5 
CD 
05 
DO 
E5 
ED 
F5 
FO 
Ew=BP 
Eb=CH 
C6 
CE 
06 
DE 
E6 
EE 
F6 
FE 
Ew=81 
Eb=OH 
C7 
CF 
07 
OF 
E7 
EF 
F7 
FF 
Ew=OI 
Eb=BH 


NOTES: 


1. 08 denotes an 8-bit displacement following the ModRM byte that is sign-extended and added to the index. 


2. Default segment register is 88 for effective addresses containing a BP index; 08 is for other memory 
effective addresses. 


3. 016 denotes the 16-bit displacement following the ModRM byte that is added to the index. 


mod 
Displacement 


00 
OISP = 0(2),disp-Iow and disp-high are absent 
01 
OISP = disp-Iow sign-extended to 16-bits, disp-high is absent 
10 
OISP = disp-high; disp-Iow 
11 
rjm is treated as a "reg" field 


16-Blt (w = 1) 
8-Blt (w = 0) 
Segment 


000 AX 
000 AL 
00 ES 
001 CX 
001 CL 
01 CS 
010 OX 
010 OL 
10 SS 
011 BX 
011 BL 
11 OS 
100 SP 
100 AH 
101 BP 
101 CH 
110 51 
110 OH 
111 01 
111 BH 


rim 
Operand Address 


000 
(BX) + (SI) + OISP 
001 
(BX) + (01) + OISP 
010 
(BP) + (SI) + OISP 
011 
~ 
(BP) + (01) + OISP 
100 
(SI) + OISP 
101 
(01)+ OISP 
110 
(BP) + 0ISp(2) 
111 
(BX) + OISP 


NOTES: 


1. Opcode indicates presence and size of immediate field. 


2. Except if mod=OO and rjm=110 
then EA=disp-high: 
disp-Iow. 


+rw: A register code from 0 through 
7 which 
is added to the hexadecimal 
byte given at the 
left of the plus sign to form a single opcode 
byte. The codes are: AX = 0, CX = 1, OX = 2, 
BX=3, 
SP=4, 
BP=5, 
SI=6, 
and 01=7. 


Instruction 


This column 
gives the instruction 
mnemonic 


and possible 
operands. 
The type of operand 


used will determine 
the opcode 
and operand 


encodings. 
The following 
entries 
list the type 


of operand 
which 
can 
be encoded 
in the 


format 
shown in the instruction 
column. 
The 
Intel 
convention 
is to place 
the 
destination 
operand as the left hand operand. 
Source-only 
operands 
follow the destination 
operand. 


In many 
cases, the same 
instruction 
can be 


encoded several ways. It is recommended 
that 


you use the 
shortest 
encoding. 
The 
short 


encodings are provided to save memory 
space. 


cb: a destination 
instruction 
offset 
in the 


range 
of 
128 bytes 
before 
the 
end 
of this 


instruction 
to 127 bytes after 
the end of this 


instruction. 


cw: a destination 
offset within the same code 


segment 
as this 
instruction. 
Some 
instruc- 


tions allow a short form of destination 
offset. 


See cb type for more information. 


cd: a destination 
address, 
typically 
in a 
different 
code segment 
from this instruction. 


Using the cd: address 
form with call instruc- 


tions saves the code segment 
selector. 


db: a signed value between 
-128 
and + 127 


inclusive which is an operand 
of the instruc- 
tion. For instructions 
in which the db is to be 


combined 
in some way with a word operand, 


the immediate 
value is sign-extended 
to form 


a word. The upper 
byte of the word is filled 


with the topmost 
bit of the immediate 
value. 


dw: an immediate 
word 
value 
which 
is an 
operand 
of the instruction. 


eb: a byte-sized 
operand. 
This is either a byte 
register 
or a (possibly 
indexed) 
byte memory 


variable. 
Either 
operand 
location 
may 
be 
encoded 
in the ModRM 
field. Any memory 
addressing 
mode may be used. 


ew: a word-sized 
operand. 
This 
is either 
a 
word 
register 
or a (possibly 
indexed) 
word 
memory 
variable. 
Either 
operand 
location 
may be encoded 
in the ModRM 
field. 
Any 


memory 
addressing 
mode may be used. 


m: a memory 
location. 
Operands 
in registers 
do not have a memory 
address. 
Any memory 


addressing 
mode may be used. 


mb: a memory-based 
byte-sized 
operand. 
Any 


memory 
addressing 
mode may be used. 


mw: a memory-based 
word 
operand. 
Any 
memory 
addressing 
mode may be used. 


md: a memory-based 
pointer 
operand. 
Any 
memory 
addressing 
mode may be used. 


rb: one of the byte registers AL, CL, OL, BL, 
AH, CH, OH, or BH. 


rw: one of the word registers 
AX, CX, OX, 
BX, SP, BP, SI, or OJ. 


xb: a simple byte memory 
variable 
without 
a 
base 
or index 
register. 
MOY 
instructions 
between AL and memory 
have this optimized 
form if no indexing 
is required. 


xw: 
a simple word memory 
variable 
without 
a base or index 
register. 
MOY 
instructions 
between AX and memory 
have this optimized 
form if no indexing 
is required. 


This column gives the number 
of clock cycles 
that 
this 
form 
of the 
instruction 
takes 
to 
execute. 
The amount 
of time for each clock 
cycle 
is computed 
by dividing 
one 
micro- 


second by the number 
of MHz 
at which the 
80286 
is running. 
For example, 
a 10-MHz 
80286 
(with 
the 
eLK 
pin 
connected 
to 
a 


20-MHz 
crystal) 
takes 
100 nanoseconds 
for 
each clock cycle. 


The 
clock 
counts 
establish 
the 
maximum 
execution 
rate of the 80286. 
With 
no delays 


in bus cycles, 
the 
actual 
clock 
count 
of an 


80286 program 
will average 
5-10% more than 


the calculated 
clock count due to instruction 


sequences 
that 
execute 
faster 
than 
they can 
be fetched 
from memory. 


Some instruction 
forms give two clock counts, 


one unlabelled 
and one labelled. 
These counts 


indicate 
that the instruction 
has two different 


clock times for two different 
circumstances. 


Following 
are the circumstances 
for each 
possible label: 


mem: The instruction 
has an operand 
that can 
either be a register or a memory variable. 
The 
unlabelled 
time is for the register; 
the mem 
time 
is for the memory 
variable. 
Also, 
one 


additional 
clock 
cycle 
is taken 
for indexed 
memory 
variables 
for which all three possible 


indices 
(base 
register, 
index 
register, 
and 
displacement) 
must be added. 


noj: The Instruction 
involves 
a conditional 
jump or interrupt. 
The unlabelled 
time holds 
when the jump 
is made; 
the noj time 
holds 
when the jump is not made. 


pm: The 
instruction 
takes 
more 
time 
to 
execute when the 80286 is in Protected 
Mode. 
The 
un labelled 
time 
is for 
Real 
Address 
Mode; the pm time is for Protected 
Mode. 


This is a concise description 
of the operation 
performed 
for this 
form 
of the 
instruction. 


More 
details 
are 
given 
in the 
"Operation" 
section that appears 
later in this chapter. 


Flags Modified 


This is a list of the flags 
that 
are 
set to a 
meaningful 
value by the instruction. 
If a flag 
is always set to the same value by the instruc- 
tion, the value is given (" = 0" or "= 1") after 
the flag name. 


Flags Undefined 


This 
is a list 
of the 
flags 
that 
have 
an 
undefined 
(meaningless) 
setting 
after 
the 
instruction 
is executed. 


All 
flags 
not 
mentioned 
under 
"Flags 
Modified" 
or 
"Flags 
Undefined" 
are 
unchanged 
by the instruction. 


Operation 


This 
section 
fully 
describes 
the 
operation 
performed 
by the instruction. 
For some of the 
more 
complicated 
instructions, 
suggested 
usage is also indicated. 


Protected Mode Exceptions 


The 
possible 
exceptions 
involved 
with 
this 
instruction 
when running under the iAPX 286 
Protected 
Mode 
are 
listed 
below. 
These 
exceptions 
are abbreviated 
with a pound sign 
(#) 
followed 
by two capital 
letters 
and 
an 
optional 
error 
code 
in 
parenthesis. 
For 
example, 
#GP(O) denotes 
the general 
protec- 
tion exception 
with an error code of zero. The 
next section 
describes 
all of the 
iAPX 
286 
exceptions 
and the machine 
state upon entry 


to the exception. 


If 
you 
are 
an 
applications 
programmer, 


consult the documentation 
provided with your 
operating 
system 
to determine 
what 
actions 
are 
taken 
by the 
system 
when 
exceptions 
occur. 


Real Address Mode Exceptions 


Since less error checking 
is performed 
by the 
iAPX 286 when it is in Real Address 
Mode, 
there are fewer exceptions 
in this mode. One 
exception 
that 
is possible 
in many 
instruc- 
tions 
is #GP( 0). 
Exception 
13 is generated 


whenever 
a word operand 
is accessed 
from 
effective address OFFFFH 
in a segment. 
This 
happens 
because 
the second byte of the word 
is considered 
located at location 
10000H, 
not 
at location 
0, and thus exceeds the segment's 
address ability limit. 


Protection Exceptions 


In parallel 
with the execution 
of instructions, 
the 
protected-mode 
iAPX 
286 
checks 
all 
memory 
references 
for validity 
of addressing 


and type of access. Violation 
of the memory 
protection 
rules built 
into the processor 
will 
cause a transfer 
of program 
control 
to one of 
the 
interrupt 
procedures 
described 
in this 
section. 
The 
interrupts 
have 
dedicated 
positions 
within 
the 
Interrupt 
Descriptor 
Table, which is shown in table B-2. The inter- 
rupts are referenced 
within the instruction 
set 
pages by a pound sign (#) followed by a two- 
letter 
mnemonic 
and the optional 
error 
code 
in parenthesis. 


Error Codes 


Some exceptions 
cause the iAPX 
286 to pass 
a 16-bit 
error 
code 
to the 
interrupt 
proce- 


dure. When this happens, the error code is the 
last item pushed onto the stack before control 
is tranferred 
to the 
interrupt 
procedure. 
If 
stacks were switched 
as a result of the inter- 
rupt, the error code appears 
on the interrupt 
procedure's 
stack, not on the stack of the task 
that was interrupted. 


The error code generally 
contains 
the selector 
of the 
segment 
that 
caused 
the 
protection 
violation. 
The RPL field (bottom 
two bits) of 
the error code does not, however, 
contain 
the 
privilege level. Instead, 
it contains 
the follow- 
ing information: 


• 
Bit 0 contains 
the value 1 if the exception 
was detected 
during 
an interrupt 
caused 
by an event external 
to the program 
(i.e., 
an external 
interrupt, 
a single 
step, 
a 
processor 
extension 
not-present 
excep- 
tion, 
or a processor 
extension 
segment 
overrun). 
Bit 0 is 0 if the exception 
was 
detected 
while 
processing 
the 
regular 
instruction 
stream, 
even if the instruction 
stream 
is part 
of an external 
interrupt 
handling 
procedure 
or task. If bit 0 is set, 
the instruction 
pointed 
to by the 
saved 
CS:IP 
address 
is not responsible 
for the 
error. 


• 
Bit 
1 is 1 if the 
selector 
points 
to the 
Interrupt 
Descriptor 
Table. 
In this case, 
bit 2 can be ignored, and bits 3-15 contain 
the index into the IDT. 


I 


Description 
I 
Abbreviation 
Interrupt 
Number 


#UD 
6 
Undefined 
Opcode 
#NM 
7 
No Math Unit Available 
#DF 
8 
Double 
Fault 
#MP 
9 
Math Unit Protection 
Fault 
#TS 
10 
Invalid Task State Segment 
#NP 
11 
Not Present 
#SS 
12 
Stack 
Fault 
#GP 
13 
General 
Protection 
#MF 
16 
Math Fault 


I 


• 
Bit 1 is 0 if the selector points to the 
Global or Local Descriptor Tables. In this 
case, bits 2-15 have their usual selector 
interpretation: 
bit 2 selects the table 


(l = Local, O=Global), and bits 3-15 are 
the index into the table. 


In some cases the iAPX 286 chooses to pass 
an error code with no information in it. In 
these cases, all 16 bits of the error code are 
zero. 


The existence and type of error codes are 
described under each of the following individ- 
ual exceptions. 


#DF 8 Double Fault (Zero Error Code) 


This exception is generated when a second 
exception is detected while the processor is 
attempting to transfer control to the handler 
for an exception. For instance, it is generated 
if the code segment containing the exception 
handler 
is marked 
not present. 
It is also 


generated if invoking the exception handler 
causes a stack overflow. 


This exception is not generated during the 
execution of an exeception handler. Faults 
detected within the instruction 
stream 
are 
handled by regular exceptions. 


The error code is normally zero. The saved 
CS:IP will point at the instruction that was 
attempting to execute when the double fault 
occurred. Since the error code is normally 
zero, no information on the source of the 
exception is available. Restart is not possible. 


#GP 13 General Protection (Selector or 
Zero Error Code) 


This exception is generated for all protection 
violations not covered by the other exceptions 
in this section. Examples of this include: 


1. 
An attempt to address a memory location 
by using an offset that exceeds the limit 
for the segment involved. 


2. 
An attempt to jump to a data segment. 


3. 
An attempt to load SS with a selector for 
a read-only segment. 


4. 
An attempt 
to write 
to a read-only 


segment. 


If #GP occurred while loading a descriptor, 
the error code passed contains the selector 
involved. Otherwise, the error code is zero. 


If the error code is not zero, the instruction 
can be restarted if the erroneous condition is 
rectified. If the error code is zero either a limit 
violation, 
a write protect 
violation, 
or an 


illegal 
use 
of 
invalid 
segment 
register 


occurred. An invalid segment register contains 
the values 0-3. Generally, a limit fault on 
MOVS, CMPS, INS, OUTS, or STOS is not 
restartable. A write protect fault on ADC, 
SBB, RCL, 
RCR, 
or XCHG 
also is not 


restartable. 


#MF 16 Math Fault (No Error Code) 


This exception is generated when the numeric 
processor extension (the 80287) detects an 
error signalled 
by the ERROR 
input 
pin 


leading from the 80287 to the 80286. The 
ERROR pin is tested at the beginning of most 
floating point instructions, and when aWAIT 
instruction is executed with the EM bit of the 
Machine 
Status 
Word 
set to 0 (i.e., 
no 


emulation of the math unit). The floating 
point instructions 
that 
do not cause 
the 


ERROR 
pin to be tested 
are FNCLEX, 


FNINIT, 
FSETPM, 
FNSTCW, 
FSTCW, 


FNSTSW, 
FSTSW, 
FNSA VE, FSA VE, 


FNSTENV, and FSTENV. 


If the handler corrects the error condition 
causing 
the exception, 
the floating 
point 


instruction that caused #MF can be restarted. 
This is not accomplished by IRET, however, 
since the fault occurs at the floating point 
instruction that follows the offending instruc- 
tion. Before restarting the numeric instruc- 


tion, the handler must obtain from the 80287 
the address of the offending instruction and 
the address of the optional numeric operand. 


#MP 9 Math Unit Protection Fault 
(No Error Code) 


This exception is generated if the numeric 
operand is larger than one word and has the 
second or subsequent 
words outside 
the 
segment's 
limit. Not all math addressing 
errors cause exception 
9. If the effective 
address of an ESCAPE instruction is not in 
the segment's limit, or if a write is attempted 
on a read-only segment, exception 13 will 
occur. The #MP exception occurs during the 
execution of the numeric instruction by the 
80287. 
Thus, 
the 
80286 
may 
be in an 
unrelated instruction stream at the time. 


The offending 
floating 
point 
instruction 
cannot be restarted; the task which attempted 
to execute the offending numeric instruction 
must be aborted. However, if the exception 
interrupted another task, it may be restarted. 
The exception handler must execute FNINIT 
before executing 
any ESCAPE 
or WAIT 


instruction. 


#NM 7 No Math Unit Available 
(No Error Code) 


This exception occurs when any floating point 
instruction is executed while the EM bit or 
the TS bit of the Machine Status Word is 1. 
It also occurs when a WAIT instruction is 
encountered and both the MP and TS bits of 
the Machine Status Word are 1. 


Depending on the setting of the MSW bits 
that caused this exception, 
the exception 
handler could provide emulation of the 80287, 
or it could perform a context switch of the 
math 
processor 
to prepare 
it for use by 
another task. 


The instruction causing #NM can be restarted 
if the handler performs a numeric context 


switch. If the handler provided emulation of 
the math unit, it should advance the return 
pointer beyond the floating point instruction 
that caused NM. 


#NP 11 Not Present (Selector Error Code) 


This exception occurs when CS, DS, ES, or 
the Task Register is loaded with a descriptor 
that is marked not present but is otherwise 
valid. It can occur in an LLDT instruction, 
but the #NP exception will not occur if the 
processor attempts to load the LDT register 
during a task switch. A not-present 
LDT 
encountered during a task switch causes the 
#TS exception. 


The error code passed is the selector of the 
descriptor that is marked not present. 


Typically, the Not Present exception handler 
is used to implement a virtual memory system. 
The operating 
system 
can swap inactive 
memory segments to a mass-storage device 
such as a disk. Applications programs need 
not be told about this; the next time they 
attempt to access the swapped-out memory 
segment, the Not Present 
handler 
will be 
invoked, the segment will be brought back into 
memory, and the offending instruction within 
the applications program will be restarted. 


If #NP is detected on loading CS, DS, or ES 
in a task switch, the exception occurs in the 
new task, and the IRET from the exception 
handler jumps directly to the next instruction 
in the new task. 


The Not Present 
exception 
handler 
must 
contain special code to complete the loading 
of segment registers when #NP is detected in 
loading the CS or DS registers in a task 
switch and a trap or interrupt gate was used. 
The DS and ES registers have been loaded 
but their descriptors have not been loaded. 
Any memory reference using the segment 
register may cause exception 13. The #NP 


exception handler should execute code such 
as the following to ensure full loading of the 
segment registers: 


MOV AX,DS 
MOVDS,AX 
MOV AX,ES 
MOV ES,AX 


#SS 12 Stack Fault (Selector or Zero 
Error Code) 


This exception 
is generated 
when a limit 


violation is detected in addressing through the 
SS register. It can occur on stack-oriented 
instructions such as PUSH or POP, as well 
as other types of memory references using SS 
such as MOV AX,[BP+28]. 
It also can occur 


on an ENTER instruction when there is not 
enough space on the stack for the indicated 
local variable space, even if the stack excep- 
tion is not triggered by pushing BP or copying 
the display 
stack. A stack exception 
can 


therefore indicate a stack overflow, a stack 
underflow or a wild offset. The error code will 
be zero. 


#SS is also generated on an attempt to load 
SS with a descriptor 
that 
is marked 
not 


present but is otherwise valid. This can occur 
in a task switch, an inter-level call, an inter- 
level return, a move to the SS instruction or 
a pop to the SS instruction. The error code 
will be non-zero. 


#SS is never generated 
when addressing 


through the DS or ES registers even if the 
offending register points to the same segment 
as the SS register. 


The #SS exception 
handler 
must contain 


special 
code to complete 
the loading 
of 


segment registers. The DS and ES registers 
will not be fully loaded 
if a not-present 


condition is detected while loading the SS 
register. Therefore, the #SS exception handler 


should execute code such as the following to 
insure full loading of the segment registers: 


MOV AX,DS 
MOV DS,AX 
MOV AX,ES 
MOV ES,AX 


Generally, the instruction causing #SS can be 
restarted, but there is one special case when 
it cannot: when a PUSHA or POP A instruc- 
tion attempts to wrap around the 64K bound- 
ary of a stack segment. This condition is 
identified by the value of the saved SP, which 
can be either OOOOH,OOOIH, OFFFEH, or 
OFFFFH. 


#TS 10 Invalid Task State Segment 
(Selector Error Code) 


This exception is generated when a task state 
segment is invalid, that is, when a task state 
segment is too small; when the LDT indicated 
in a TSS is invalid or not present; when the 
SS, CS, DS, or ES indicated in a TSS are 
invalid (task switch); when a TSS indicated 
an invalid privileged stack (inter-level call); 
or when the back link in a TSS is invalid 
(inter-task IRET). 


#TS is not generated when the SS, CS, DS, 
or ES back link or privileged stack selectors 
point to a descriptor that is not present but 
otherwise is valid. #NP is generated in these 
cases. 


The error code passed to the exception handler 
contains the selector of the offending segment, 
which can either be the Task State Segment 
itself, or a selector found within the Task 
State Segment. 


#UD 6 Undefined Opcode (No Error Code) 


This exception is generated when an invalid 
operation code is detected in the instruction 
stream. Following are the cases in which #UD 
can occur: 


1. 
The 
first 
byte 
of an 
instruction 
is 


completely invalid (e.g., 64H). 


2. 
The first byte indicates a 2-byte opcode 
and the second byte is invalid (e.g., OFH 
followed by OFFH). 


3. 
An invalid register is used with an other- 
wise valid opcode (e.g., MOV CS,AX). 


4. 
An invalid opcode extension is given in 
the REG field of the ModRM byte (e.g., 
OF6H /1). 


5. 
A register operand is given in an instruc- 
tion that 
requires 
a memory operand 


(e.g., LGDT AX). 


Since the offending opcode will always be 
invalid, it cannot be restarted. However, the 
#UD handler might be coded to implement 
an extension of the iAPX 286 instruction set. 
In that case, the handler could advance the 
return pointer beyond the extended instruc- 
tion and return control to the program after 
the extended instruction 
is emulated. 
Any 
such extensions may be incompatible 
with 


iAPX 
386. 


Privilege Level and Task Switching on 
the iAPX 286 


The iAPX 286 supports many of the functions 
necessary to implement a protected, multi- 
tasking operating system in hardware. 
This 


support is provided not by additional instruc- 
tions, but by extension of the semantics of 
iAPX 86/88 
instructions 
that change the 


value of CS:IP. 


Whenever the iAPX 286 performs an inter- 
segment jump, call, interrupt, 
or return, 
it 


consults the Access Rights (AR) byte found 
in the descriptor table entry of the selector 
associated with the new CS value. The AR 
byte determines whether the long jump being 
made is through a gate, or is a task switch, or 
is a simple long jump to the same privilege 
level. Table B-3 lists the possible values of the 
AR byte. The "privilege" headings at the top 
of the table give the Descriptor 
Privilege 


Level, which is referred to as the DPL within 
the instruction descriptions. 


Each of the CALL, INT, IRET, JMP, and 
RET instructions contains on its instruction 
set pages 
a listing 
of the 
access 
rights 


checking 
and actions 
taken 
to implement 


the 
instruction. 
Instructions 
involving 
task 
switches 
contain 
the 
symbol 
SWITCH_TASKS, 
which is an abbreviation 


for the following list of checks and actions: 


SWITCH_TASKS: 
Locked 
set AR byte of new TSS descriptor 
to Busy TSS (Bit 1 = 1) 


Current 
TSS cache must be valid with limit ~ 
43 else #TS 
(error 
code will 


be new TSS, but back link points 
at old TSS) 


New TSS limit ~ 43 else #TS 
(new TSS) 


Save machine 
state in current 
TSS 


If nesting 
tasks, 
set the new TSS link to the current 
TSS selector 


Any exception 
will be in new context 
Else set the AR byte of current 
TSS 


descriptor 
to Available 
TSS (Bit 1 = 0) 


Set the current 
TR to selector, 
base, and limit of new TSS 


Set all machine 
registers 
to values 
from 
new TSS without 
loading 
descriptors 
for OS, ES, CS, SS, LOT 
Clear valid flags for LOT,SS,CS,OS,ES 
(not valid yet) 


Set the Task Switched 
flag to 1 


If nesting 
tasks, 
set the Nested 
Task flag to 1 


LOT from the new TSS must be within 
GOT table limits else #TS(LOT) 


AR byte from 
LOT descriptor 
must specify 
LOT segment 
else #TS(LOT) 


AR byte from LOT descriptor must indicate PRESENT else #TS(LOT) 
Load LOT cache with new LOT descriptor and set valid bit 
Set CPL to the RPL of the CS selector in the new TSS 
If new stack selector is null #TS(SS) 
SS selector must be within its descriptor table limits else #TS(SS) 
SS selector RPL must be equal to CPL else #TS(SS) 
OPL of SS descriptor must equal CPL else #TS(SS) 
SS descriptor AR byte must indicate writable data segment else #TS(SS) 
SS descriptor AR byte must indicate PRESENT else #SS(SS) 
Load SS cache with new stack segment and set valid bit 
New CS selector must not be null else #TS(CS) 
CS selector must be within its descriptor table limits else #TS(CS) 
CS descriptor AR byte must indicate code segment else #TS(CS) 
If non-conforming then OPL must equal CPL else #TS(CS) 
If conforming then OPL must be =:; CPL else #TS(CS) 
CS descriptor AR byte must indicate PRESENT else #NP(CS) 
Load CS cache with new code segment descriptor and set valid bit 
For OS and ES: 


If new selector is not null then perform following checks: 
Index must be within its descriptor table limits else #TS(segment selector) 
AR byte must indicate data or readable code else #TS(segment selector) 
If data or non-conforming code then: 


OPL must be ~ CPL else #TS(segment selector) 
OPL must be ~ RPL else #TS(segment selector) 


AR byte must indicate PRESENT else #NP(segment selector) 
Load cache with new segment descriptor and set valid bit 


Not present, 
Present, 


privilege = 
privilege = 
Descriptor 
Type 


0 
1 
2 
3 
0 
1 
2 
3 


00 
20 
40 
60 
80 
AO 
CO 
EO 
Illegal 


01 
21 
41 
61 
81 
A1 
C1 
E1 
Available 
Task State Segment 


02 
22 
42 
62 
82 
A2 
C2 
E2 
Local Descriptor 
Table Segment 
03 
23 
43 
63 
83 
A3 
C3 
E3 
8usy 
Task State Segment 


04 
24 
44 
64 
84 
A4 
C4 
E4 
Call Gate 


05 
25 
45 
65 
85 
A5 
C5 
E5 
Task Gate 


06 
26 
46 
66 
86 
A6 
C6 
E6 
Interrupt 
Gate 


07 
27 
47 
67 
87 
A7 
C7 
E7 
Trap Gate 


08 
28 
48 
68 
88 
A8 
C8 
E8 
Illegal 


09 
29 
49 
69 
89 
A9 
C9 
E9 
Illegal 


OA 
2A 
4A 
6A 
8A 
AA 
CA 
EA 
Illegal 


08 
28 
48 
68 
88 
A8 
C8 
E8 
Illegal 


OC 
2C 
4C 
6C 
8C 
AC 
CC 
EC 
Illegal 


OD 
2D 
4D 
6D 
8D 
AD 
CD 
ED 
Illegal 


OE 
2E 
4E 
6E 
8E 
AE 
CE 
EE 
Illegal 
OF 
2F 
4F 
6F 
8F 
AF 
CF 
EF 
Illegal 


10 
30 
50 
70 
90 
80 
DO 
FO 
Expand-up, 
read only, ignored 
Data Segment 
11 
31 
51 
71 
91 
81 
D1 
F1 
Expand-up, 
read only, accessed 
Data Segment 
12 
32 
52 
72 
92 
82 
D2 
F2 
Expand-up, 
writable, 
ignored 
Data Segment 
13 
33 
53 
73 
93 
83 
D3 
F3 
Expand-up, 
writable, 
accessed 
Data Segment 
14 
34 
54 
74 
94 
84 
D4 
F4 
Expand-down, 
read only, ignored 
Data Segment 
15 
35 
55 
75 
95 
85 
D5 
F5 
Expand-down, 
read only, accessed 
Data Segment 
16 
36 
56 
76 
96 
86 
D6 
F6 
Expand-down, 
writable, 
ignored 
Data Segment 
17 
37 
57 
77 
97 
87 
D7 
F7 
Expand-down, 
writable, 
accessed 
Data Segment 
18 
38 
58 
78 
98 
88 
D8 
F8 
Non-conform, 
no read, ignored 
Code Segment 
19 
39 
59 
79 
99 
89 
D9 
F9 
Non-conform, 
no read, accessed 
Code Segment 
1A 
3A 
5A 
7A 
9A 
8A 
DA 
FA 
Non-conform, 
readable, 
ignored 
Code Segment 
18 
38 
58 
78 
98 
88 
D8 
F8 
Non-conform, 
readable, 
accessed 
Code Segment 
1C 
3C 
5C 
7C 
9C 
8C 
DC 
FC 
Conforming, 
no read, ignored 
Code Segment 
1D 
3D 
5D 
7D 
9D 
8D 
DD 
FD 
Conforming, 
no read, accessed 
Code Segment 
1E 
3E 
5E 
7E 
9E 
8E 
DE 
FE 
Conforming, 
readable, 
ignored 
Code Segment 
1F 
3F 
5F 
7F 
9F 
8F 
DF 
FF 
Conforming, 
readable, 
accessed 
Code Segment 


AAA - 
ASCII Adjust AL After Addition 


FLAGS MODIFIED 
Auxiliary carry, carry 


FLAGS UNDEFINED 
Overflow, sign, zero, parity 


OPERATION 
AAA should be executed only after an ADD 
instruction which leaves a byte result in the 
AL register. The lower nibbles of the operands 
to the ADD instruction should be in the range 
o through 9 (BCD digits). In this case, the 
AAA instruction will adjust AL to contain the 
correct decimal digit result. If the addition 
produced a decimal carry, the AH register is 
incremented, 
and the carry and auxiliary 


carry flags are set to 1. If there was no 
decimal carry, the carry and auxiliary carry 
flags are set to 0, and AH is unchanged. In 


any case, AL is left with its top nibble set to 
O. To convert AL to an ASCII result, you can 
followthe AAA instruction with OR AL,30H. 


The precise definition of AAA is as follows: 
if the lower 4 bits of AL are greater than nine, 
or if the auxiliary carry flag is 1, then incre- 
ment AL by 6, AH by 1, and set the carry 
and auxiliary carry flags. Otherwise, reset the 
carry and auxiliary carry flags. In any case, 
conclude the AAA operation by setting the 
upper four bits of AL to zero. 


PROTECTED 
MODE EXCEPTIONS 
None 


REAL ADDRESS MODE EXCEPTIONS 
None 


AAD-ASCII 
Adjust AX Before Division 


FLAGS MODIFIED 


Sign, zero, parity 


plished by setting AL to AL + (10 X AH), 
and then 
setting 
AH 
to O. This 
leaves 
AX 
equal to the binary 
equivalent 
of the original 
unpacked 
2-digit number. 
FLAGS UNDEFINED 


Overflow, 
auxiliary 
carry, carry 


OPERATION 


AAD is used to prepare 
two unpacked 
BCD 


digits 
(least 
significant 
in AL, most 
signifi- 
cant 
in AH) 
for a division 
operation 
which 


will yield an unpacked 
result. 
This is accom- 


PROTECTED 
MODE EXCEPTIONS 


None 


REAL ADDRESS MODE EXCEPTIONS 


None 


FLAGS MODIFIED 


Sign, zero, parity 


contained 
entirely 
in the AL register. 
AAM 


unpacks the AL result by dividing AL by ten, 
leaving 
the quotient 
(most 
significant 
digit) 


in AH, 
and the remainder 
(least 
significant 


digit) in AL. 


FLAGS UNDEFINED 


Overflow, 
auxiliary 
carry, 
carry 


OPERATION 


AAM 
should be used only after 
executing 
a 
MUL instruction 
between two unpacked 
BCD 


digits, 
leaving the result 
in the AX register. 


Since the result is less than one hundred, 
it is 


PROTECTED 
MODE EXCEPTIONS 


None 


REAL ADDRESS MODE EXCEPTIONS 


None 


AAS- ASCII Adjust AL After Subtraction 


FLAGS MODIFIED 


Auxiliary 
carry, carry 


FLAGS UNDEFINED 


Overflow, 
sign, zero, parity 


OPERATION 


AAS should be executed 
only after a subtrac- 


tion instruction 
which left the byte result 
in 


the 
AL 
register. 
The 
lower 
nibbles 
of the 


operands 
to the SUB instruction 
should have 


been in the range 0 through 
9 (BCD 
digits). 
In this case, the AAS instruction 
will adjust 


AL to contain the correct decimal digit result. 
If the subtraction 
produced 
a decimal 
carry, 


the AH register is decremented, 
and the carry 


and auxiliary 
carry flags are set to I. If there 


was no decimal 
carry, the carry and auxiliary 


carry flags are set to 0, and AH is unchanged. 


In any case, AL is left with its top nibble set 
to O. To convert 
AL to an ASCII 
result, 
you 
can 
follow 
the 
AAS 
instruction 
with 
OR AL,30H. 


The precise definition 
of AAS is as follows: if 
the lower four bits of AL are greater 
than 
9, 


or if the auxiliary 
carry flag is I, then decre- 
ment AL by 6, AH by I, and set the carry 
and auxiliary 
carry flags. Otherwise, 
reset the 
carry 
and auxiliary 
carry 
flags. In any case, 


conclude 
the AAS 
operation 
by setting 
the 
upper four bits of AL to zero. 


PROTECTED 
MODE EXCEPTIONS 


None 


REAL ADDRESS MODE EXCEPTIONS 


None 


ADC/ ADD-Integer 
Addition 


Opcode 
Instruction 
Clocks 
Description 


10 
Ir 
ADC eb,rb 
2,mem=7 
Add with carry byte register into EA byte 


11 
Ir 
ADC ew,rw 
2,mem=7 
Add with carry word register into EA word 


12 
Ir 
ADC rb,eb 
2,mem=7 
Add with carry EA byte into byte register 
13 
Ir 
ADC rw,ew 
2,mem=7 
Add with carry EA word into word register 
14 
db 
ADC AL,db 
3 
Add with carry immediate byte into AL 


15 
dw 
ADC AX,dw 
3 
Add with carry immediate word into AX 
80 
12 
db 
ADC eb,db 
3,mem=7 
Add with carry immediate byte into EA byte 


81 
12 
dw 
ADC eW,dw 
3,mem=7 
Add with carry immediate word into EA word 


83 
12 
db 
ADC eW,db 
3,mem=7 
Add with carry immediate byte into EA word 
00 
Ir 
ADD eb,rb 
2,mem=7 
Add byte register into EA byte 
01 
Ir 
ADD ew,rw 
2,mem=7 
Add word register into EA word 
02 
Ir 
ADD rb,eb 
2,mem=7 
Add EA byte into byte register 
03 
Ir 
ADD rw,ew 
2,mem=7 
Add EA word into word register 


04 
db 
ADD AL,db 
3 
Add immediate byte into AL 
05 
dw 
ADD AX,dw 
3 
Add immediate word into AX 
80 
10 
db 
ADD eb,db 
3,mem=7 
Add immediate byte into EA byte 


81 
10 
dw 
ADD eW,dw 
3,mem=7 
Add immediate word into EA word 


83 
10 
db 
ADD eW,db 
3,mem=7 
Add immediate byte into EA word 


FLAGS MODIFIED 


Overflow, 
sign, zero, auxiliary 
carry, 
parity, 


carry 


FLAGS UNDEFINED 


None 


OPERATION 


ADD and ADC 
perform 
an integer 
addition 


on the two operands. 
The ADC 
instruction 


also adds in the initial state of the carry flag. 
The result 
of the 
addition 
goes to the 
first 


operand. 
ADC is usually 
executed 
as part of 


a 
multi-byte 
or 
multi-word 
addition 


operation. 


When 
a byte immediate 
value is added 
to a 


word operand, 
the 
immediate 
value 
is first 


sign-extended. 


PROTECTEDMODE EXCEPTIONS 


#GP(O) 
if the 
result 
is in a non-writable 


segment. 
#GP(O) 
for 
an 
illegal 
memory 


operand 
effective 
address 
in the CS, DS, or 


ES segments; 
#SS(O) for an illegal address 
in 


the SS segment. 


REALADDRESSMODE EXCEPTIONS 


Interrupt 
13 for 
a word 
operand 
at offset 


OFFFFH. 


AND-Logical 
AND 


20 
Ir 
21 
Ir 
22 
Ir 
23 
Ir 
24 
db 
25 
dw 
80 
14 
db 


81 
14 
dw 


AND 
eb,rb 
AND 
ew,rw 
AND 
rb,eb 
AND 
rw,ew 
AND 
AL,db 
AND 
AX,dw 
AND 
eb,db 
AND 
eW,dw 


2,mem=7 
2,mem=7 
2,mem=7 
2,mem=7 
3 
3 
3,mem=7 
3,mem=7 


Logical-AND 
byte register 
into EA byte 


Logical-AND 
word 
register 
into EA word 


Logical-AND 
EA byte into byte register 


Logical-AND 
EA word 
into word 
register 


Logical-AND 
immediate 
byte into AL 


Logical-AND 
immediate 
word 
into AX 


Logical-AND 
immediate 
byte into EA byte 


Logical-AND 
immediate 
word 
into EA word 


FLAGS MODIFIED 


Overflow=O, 
sign, zero, parity, 
carry=O 


FLAGS UNDEFINED 


Auxiliary 
carry 


OPERATION 


Each 
bit of the result 
is a 1 if both 
corre- 


sponding 
bits of the operands 
were 
1; it is 0 


otherwise. 


PROTECTED 
MODE EXCEPTIONS 


#GP(O) 
if the 
result 
is in a non-writable 


segment. 
#GP(O) 
for 
an 
illegal 
memory 


operand 
effective 
address 
in the CS, DS, or 


ES segments; 
#SS(O) for an illegal address 
in 


the SS segment. 


REAL ADDRESS MODE EXCEPTIONS 


Interrupt 
13 for 
a word 
operand 
at 
offset 


OFFFFH. 


Adjust RPL of EA word not less than RPL of 
rw 


FLAGS MODIFIED 
Zero 


FLAGS UNDEFINED 
None 


OPERATION 
The ARPL instruction has two operands. The 
first operand is a 16-bit memory variable or 
word register that contains the value of a 
selector. The second operand is a word regis- 
ter. If the RPL field (bottom two bits) of the 
first operand is less than the RPL field of the 
second operand, then the zero flag is set to 1 
and the RPL field of the first operand is 
increased to match the second RPL. Other- 
wise, the zero flag is set to 0 and no change 
is made to the first operand. 


ARPL appears in operating systems software, 
not in applications programs. It is used to 
guarantee 
that 
a selector 
parameter 
to a 


subroutine does not request more privilege 
than the caller was entitled to. The second 
operand used by ARPL would normally be a 
register that contains the CS selector value of 
the caller. 


PROTECTED 
MODE EXCEPTIONS 
#GP(O) if the result 
is in a non-writable 


segment. 
#GP(O) for an illegal 
memory 


operand effective address in the CS, DS, or 
ES segments; #SS(O) for an illegal address in 
the SS segment. 


REAL ADDRESS MODE EXCEPTIONS 
Interrupt 6. ARPL is not recognized in Real 
Address mode. 


BOUND-Check 
Array Index Against Bounds 


noj=13 


FLAGS MODIFIED 


None 


FLAGS UNDEFINED 


None 


OPERATION 


BOUND 
is used to ensure that a signed array 


index is within 
the limits 
defined 
by a two- 


word block of memory. 
The first operand 
(a 


register) 
must be greater 
than or equal to the 


first word in memory, 
and less than or equal 


to the second word in memory. 
If the register 


is not within the bounds, 
an INTERRUPT 
5 


occurs. 


The two-word 
block might typically 
be found 


just before the array itself and therefore 
would 


be accessible 
at a constant 
offset of -4 from 


the array, 
simplifying 
the addressing. 


PROTECTED 
MODE EXCEPTIONS 


INTERRUPT 
5 if the bounds 
test fails, 
as 
described 
above. 
#GP(O) 
for 
an 
illegal 
memory 
operand 
effective 
address 
in the CS, 


DS, or ES segments; 
#SS(O) 
for an illegal 
address 
in the SS segment. 


The 
second 
operand 
must 
be 
a memory 
operand, 
not 
a register. 
If 
the 
BOUND 
instruction 
is executed 
with a ModRM 
byte 
representing 
a register 
second 
operand, 
then 
fault #UD will occur. 


REAL ADDRESS MODE EXCEPTIONS 


INTERRUPT 
5 if the bounds 
test fails, 
as 
described 
above. 
Interrupt 
13 for a second 
operand 
at offset OFFFDH 
or higher. 
Inter- 
rupt 6 if the second operand 
is a register, 
as 
described 
in the paragraph 
above. 


E8 
cw 
FF 
/2 
9A 
cd 
9A 
cd 
9A 
cd 
9A 
cd 
9A 
cd 
9A 
cd 


FF 
/3 
FF 
/3 
FF 
/3 


FF 
/3 
FF 
/3 
FF 
/3 


CALL cw 
CALL ew 
CALL cd 
CALL cd 
CALL cd 
CALL cd 
CALL cd 
CALL cd 
CALL ed 
CALL ed 
CALL ed 
CALL ed 
CALL ed 
CALL ed 


7 
7,mem=11 
13,pm=26 
41 
82 
86+4X 
177 
182 
16,mem=29 
44 
83 
90+4X 
180 
185 


FLAGS MODIFIED 
None, except when a task switch occurs 


FLAGS UNDEFINED 
None 


OPERATION 
The CALL instruction causes the procedure 
named in the operand to be executed. When 
the procedure is complete (a return instruc- 
tion is executed within the procedure), execu- 
tion continues at the instruction that follows 
the CALL instruction. 


The CALL cw form of the instruction adds 
modulo 65536 (the 2-byte operand) to the 
offset of the instruction following the CALL 
and sets IP to the resulting offset. The 2-byte 
offset of the instruction 
that 
follows the 
CALL is pushed onto the stack. It will be 
popped by a near RET instruction within the 
procedure. The CS register is not changed by 
this form. 


The CALL ew form of the instruction is the 
same as CALL cw except that the operand 
specifies a memory location from which the 


Call near, offset relative to next instruction 
Call near, offset absolute at EA word 
Call inter-segment, immediate 4-byte address 
Call gate, same privilege 
Call gate, more privilege, no parameters 
Call gate, more privilege, X parameters 
Call via Task State Segment 
Call via task gate 
Call inter-segment, address at EA doubleword 
Call gate, same privilege 
Call gate, more privilege, no parameters 
Call gate, more privilege, X parameters 
Call via Task State Segment 
Call via task gate 


absolute 2-byte offset for the procedure is 
fetched. 


The CALL cd form of the instruction uses the 
4-byte operand as a pointer to the procedure 
called. The CALL ed form fetches the long 
pointer from the memory location specified. 
Both long pointer forms consult the AR byte 
in the descriptor indexed by the selector part 
of the long pointer. The AR byte can indicate 
one of the following descriptor types: 


1. 
Code Segment-The 
access rights are 
checked, the return pointer is pushed onto 
the stack, and the procedure is jumped 
to. 
2. 
Call Gate-The 
offset part of the pointer 
is ignored. Instead, the entire address of 
the procedure is taken from the call gate 
descriptor 
entry. 
If the routine 
being 
entered is more privileged, then a new 
stack (both SS and SP) is loaded from 
the task state segment for the new privi- 
lege level, and parameters determined by 
the wordcount field of the call gate are 
copied from the old stack to the new 
stack. 


3. 
Task Gate-The 
current 
task's context 
is 


saved in its Task State 
Segment 
(TSS), 


and the TSS 
named 
in the task-gate 
is 


used to load the new context. 
The selec- 
tor for the outgoing 
task 
(from 
TR) 
is 


stored into the new TSS's 
link field, and 


the new task's 
Nested 
Task 
flag is set. 


The outgoing task is left marked busy, the 
new TSS is marked 
busy, and execution 


resumes 
at the 
point 
at which 
the 
new 


task was last suspended. 


4. 
Task State Segment-The 
current 
task is 


suspended 
and the new task initiated 
as 


in 3 above except 
that 
there 
is no inter- 


vening gate. 


For long calls involving 
no task 
switch, 
the 
return 
link is the pointer 
of the instruction 
that 
follows the CALL, 
i.e., the caller's 
CS 
and 
updated 
IP. 
Task 
switches 
invoked 
by 


CALLs 
are 
linked 
by storing 
the 
outgoing 
task's TSS selector in the incoming TSS's 
link 
field and setting 
the Nested 
Task flag in the 


new task. Nested tasks must be terminated 
by 


an IRET. 
IRET 
releases 
the nested 
task and 
follows the back link to the calling task if the 
NT flag is set. 


A precise list of the protection 
checks 
made 


and the actions 
taken 
is given by the follow- 


ing list: 


CALL FAR: 


If indirect then check access of EA doubleword #GP(O) if limit violation 
New CS selector must not be null else #GP(O) 
Check that new CS selector index is within its descriptor table limits; else #GP (new CS selector) 
Examine AR byte of selected descriptor for various legal values: 


CALL CONFORMING CODE SEGMENT: 


DPL must be 2::CPL else #GP (code segment selector) 
Segment must be PRESENT else #NP (code segment selector) 
Stack must be big enough for return address else #SS(O) 
IP must be in code segment limit else #GP(O) 
Load code segment descriptor into CS cache 
Load CS with new code segment selector 
Set RPL of CS to CPL 
Load IP with new offset 


CALL NONCONFORMING CODE SEGMENT: 


RPL must be .::::;CPL else #GP (code segment selector) 
DPL must be = CPL else #GP (code segment selector) 
Segment must be PRESENT else #NP (code segment selector) 
Stack must be big enough for return address else #SS(O) 
IP must be in code segment limit else #GP(O) 
Load code segment descriptor into CS cache 
Load CS with new code segment selector 
Set RPL of CS to CPL 
Load IP with new offset 


\-ALL TO CALL GATE: 


Call gate DPL must be 2::CPL else #GP (call gate selector) 
Call gate DPL must be 2:: RPL else #GP (call gate selector) 
Call gate must be PRESENT else #NP (call gate selector) 
Examine code segment selector in call gate descriptor: 


Selector must not be null else #GP(O) 
Selector must be within its descriptor table limits else #GP (code segment selector) 
AR byte of selected descriptor must indicate code segment else #GP (code segment selector) 
DPL of selected descriptor must be .::::;CPL else #GP( code segment selector) 
If non-conforming code segment and DPL < CPL then 


CALL GATE TO MORE PRIVILEGE: 
Get new SS selector for new privilege level from TSS 


~'Cl'I'CI''''''VI IIIU;:''' 
IIV" 
!rJ'C'IIUII 
llCil;:'", Tr 
I v\Vj 
Selector index must be within its descriptor table limits else #TS (SS selector) 
Selector's RPL must equal DPL of code segment else #TS (SS selector) 
Stack segment DPL must equal DPL of code segment else #TS (SS selector) 
Descriptor must indicate writable data segment else #TS (SS selector) 
Segment PRESENT else #SS (SS selector) 


New stack must have room for parameters plus 8 bytes else #SS(O) 
IP must be in code segment limit else #GP(O) 
Load new SS:SP value from TSS 
Load new CS:IP value from gate 
Load CS descriptor 
Load SS descriptor 
Push long pointer of old stack onto new stack 
Get word count from call gate, mask to 5 bits 
Copy parameters from old stack onto new stack 
Push return address onto new stack 
Set CPL to stack segment DPL 
Set RPL of CS to CPL 


Else 
CALL GATE TO SAME PRIVILEGE: 
Stack must have room for 4-byte return address else #SS(O) 
IP must be in code segment limit else #GP(O) 
Load CS:IP from gate 
Push return address onto stack 
Load code segment descriptor into CS-cache 
Set RPL of CS to CPL 


CALL TASK GATE: 


Task gate DPL must be 2=: CPL else #GP (gate selector) 
Task gate DPL must be 2=: RPL else #GP (gate selector) 
Task Gate must be PRESENT else #NP (gate selector) 
Examine selector to TSS. given in Task Gate descriptor: 
Must specify global in the local/global bit else #GP (TSS selector) 
Index must be within GOT limits else #GP (TSS selector) 
TSS descriptor AR byte must specify available TSS (bottom bits 00001) else #GP (TSS selector) 
Task State Segment must be PRESENT else #NP (TSS selector) 


SWITCH_TASKS with nesting to TSS 
IP must be in code segment limit else #GP(O) 


TASK STATE SEGMENT: 


TSS DPL must be 2=: CPL else #GP (TSS selector) 
TSS DPL must be 2=: RPL else #GP (TSS selector) 
TSS descriptor AR byte must specify available TSS else #GP (TSS selector) 
Task State Segment must be PRESENT else #NP (TSS selector) 
SWITCH-T ASKS with nesting to TSS 
IP must be in code segment limit else #GP(O) 


ELSE #GP (code segment selector) 


PROTECTED 
MODE EXCEPTIONS 


FAR 
calls: 
#GP, 
#NP, 
#SS, 
and 
#TS, 
as 


indicated 
in the list above. 


NEAR 
direct 
calls: 
#GP(O) 
if procedure 


location 
is beyond the code segment 
limits. 


NEAR 
indirect 
CALL: 
#GP(O) for an illegal 


memory 
operand 
effective 
address 
in the CS, 


DS, or ES segments; 
#SS(O) 
for an illegal 


address in the SS segment. #GP if the indirect 
offset 
obtained 
is beyond 
the code segment 


limits. 


REAL ADDRESS MODE EXCEPTIONS 


Interrupt 
13 for 
a word 
operand 
at 
offset 


OFFFFH. 


CaW-Convert 
ByteintoWord 


FLAGS MODIFIED 
None 
signed word in AX. It does so by extending 
the top bit of AL into all of the bits of AH. 


FLAGS UNDEFINED 
None 


PROTECTED 
MODE EXCEPTIONS 


None 


OPERATION 
CBW converts the signed byte in AL to a 


REAL ADDRESS MODE EXCEPTIONS 
None 


CLC-Clear 
CarryFlag 


FLAGS MODIFIED 


Carry=O 


PROTECTED 
MODE EXCEPTIONS 


None 


FLAGS UNDEFINED 


None 


REAL ADDRESS MODE EXCEPTIONS 


None 


OPERATION 


CLC sets the carry flag to zero. No other flags 
or registers 
are affected. 


CLD-Clear 
DirectionFlag 


FLAGS MODIFIED 
Direction =0 


or registers 
are affected. 
After 
CLD 
is 


executed, string operations will increment the 
index registers (SI and/or DI) that they use. 


FLAGS UNDEFINED 
None 


PROTECTED 
MODE EXCEPTIONS 
None 


OPERATION 
CLD clears the direction flag. No other flags 


REAL ADDRESS MODE EXCEPTIONS 
None 


FLAGS MODIFIED 


Interrupt 
=0 


FLAGS UNDEFINED 


None 


OPERATION 
eLl clears 
the 
interrupt 
enable 
flag 
if the 


current 
privilege level is at least as privileged 


as 10PL. No other flags are affected. 
Exter- 


nal interrupts 
will be ignored 
after 
the next 


instruction 
if the interrupt 
enable flag remains 
cleared. 


PROTECTED 
MODE EXCEPTIONS 


#GP(O) if the current 
privilege 
level is bigger 


(has less privilege) 
than the 10PL in the flags 


register. 
10PL 
specifies 
the least 
privileged 
level at which I/O 
may be performed. 


REAL ADDRESS MODE EXCEPTIONS 


None 


CLTS-Clear 
Task SwitchedFlag 


FLAGS MODIFIED 


Task switched = 0 


FLAGS UNDEFINED 


None 


OPERATION 


CL TS clears 
the 
task 
switched 
flag 
in the 


Machine 
Status 
Word. This flag is set by the 


iAPX 
286 every time 
a task 
switch 
occurs. 
The 
TS 
flag 
is used 
to manage 
processor 


extensions 
as follows: 
every 
execution 
of a 


WAIT 
or an ESC instruction 
will be trapped 


if the MP flag of MSW 
is set and the task 


switched 
flag 
is set. 
Thus, 
if a processor 


extension is present and a task switch has been 
made 
since 
the 
last 
ESC 
instruction 
was 


begun, the processor 
extension's 
context 
must 


be saved 
before 
a new 
instruction 
can 
be 


issued. The fault routine will save the context 
and reset the task switched 
flag or place the 
task requesting 
the processor 
extension 
into a 


queue 
until 
the 
current 
processor 
extension 
instruction 
is completed. 


CL TS appears 
in operating 
systems software, 
not in applications 
programs. 
It is a privi- 
leged instruction 
that can only be executed 
at 
levelO. 


PROTECTED 
MODE EXCEPTIONS 


#GP(O) if CLTS 
is executed 
with a current 
privilege level other than O. 


REAL ADDRESS MODE EXCEPTIONS 


None (valid in REAL 
ADDRESS 
MODE 
to 
allow 
power-up 
initialization 
for 
Protected 
Mode) 


CMC-Complement 
Carry Flag 


FLAGS MODIFIED 
Carry 


PROTECTED 
MODE EXCEPTIONS 


None 


FLAGS UNDEFINED 
None 


REAL ADDRESS MODE EXCEPTIONS 
None 


OPERATION 
CMC reverses the setting of the carry flag. 
No other flags are affected. 


CMP-Compare 
Two Operands 


Opcode 
Instruction 
Clocks 


3C 
db 
CMP AL,db 
3 
3D 
dw 
CMP AX,dw 
3 
80 
17 
db 
CMP eb,db 
3,mem=6 
38 
Ir 
CMP eb,rb 
2,mem=7 
83 
17 
db 
CMP eW,db 
3,mem=6 
81 
17 
dw 
CMP eW,dw 
3,mem=6 
39 
Ir 
CMP ew,rw 
2,mem=7 
3A 
Ir 
CMP rb,eb 
2,mem=6 
38 
Ir 
CMP rw,ew 
2,mem=6 


Compare immediate byte from AL 
Compare immediate word from AX 
Compare immediate byte from EA byte 
Compare byte register from EA byte 
Compare immediate byte from EA word 
Compare immediate word from EA word 
Compare word register from EA word 
Compare EA byte from byte register 
Compare EA word from word register 


FLAGS MODIFIED 


Overflow, 
sign, zero, auxiliary 
carry, 
parity, 


carry 


FLAGS UNDEFINED 


None 


OPERATION 


CMP 
subtracts 
the second operand 
from the 
first operand, 
but it does not place the result 


anywhere. 
Only the flags are changed 
by this 
instruction. 
CMP 
is usually 
followed 
by a 


conditional 
jump instruction. 
See the "Jcond" 


instructions 
in this 
chapter 
for 
the 
list 
of 


signed and unsigned flag tests provided by the 
iAPX 286. 


If a word operand 
is compared 
to an immedi- 
ate byte value, 
the byte 
value 
is first 
sign- 


extended. 


PROTECTED 
MODE EXCEPTIONS 


#GP(O) for an illegal memory 
operand 
effec- 
tive address 
in the CS, DS, or ES segments; 
#SS(O) 
for 
an 
illegal 
address 
in the 
SS 
segment. 


REAL ADDRESS MODE EXCEPTIONS 


Interrupt 
13 for 
a word 
operand 
at offset 
OFFFFH. 


CMPS/CMPSB/CMPSW-Compare 
stringoperands 


CMPS 
mb,mb 
CMPSB 
CMPSW 


Compare 
bytes 
ES:[DI] 
from 
[SI] 
Compare 
bytes 
ES:[DI] 
from 
DS:[SI] 
Compare 
words 
ES:[DI] 
from 
DS:[SI] 


FLAGS MODIFIED 


Overflow, 
sign, zero, auxiliary 
carry, 
parity, 
carry 


FLAGS UNDEFINED 


None 


OPERATION 


CMPS 
compares 
the byte or word pointed 
to 
by SI with the byte or word pointed 
to by DI 
by performing 
the subtraction 
[SI] 
- 
[DI]. 
The result 
is not placed 
anywhere; 
only the 


flags reflect the result of the subtraction. 
The 


types 
of the 
operands 
to CMPS 
determine 


whether 
bytes 
or words 
are compared. 
The 


segment 
address 
ability 
of the 
first 
(SI) 


operand 
determines 
whether 
a 
segment 


override byte will be produced 
or whether 
the 
default 
segment 
register 
DS is used. 
The 


second (DI) operand must be addressible 
from 


the 
ES 
register; 
no 
segment 
override 
is 


possible. 


After 
the comparison 
is made, 
both 
SI and 
DI are automatically 
advanced. 
If the direc- 
tion flag is 0 (CLD 
was executed), 
the regis- 
ters increment; 
if the direction 
flag is 1 (STD 
was executed), 
the registers 
decrement. 
The 
registers 
increment 
or decrement 
by 
1 if a 
byte was moved; by 2 if a word was moved. 


CMPS 
can 
be 
preceded 
by 
the 
REPE 
or 
REPNE 
prefix 
for block comparison 
of CX 
bytes or words. Refer to the REP instruction 
for details of this operation. 


PROTECTED 
MODE EXCEPTIONS 


#GP(O) for an illegal memory 
operand 
effec- 
tive address 
in the CS, DS, or ES segments; 


#SS(O) 
for 
an 
illegal 
address 
in the 
SS 
segment. 


REAL ADDRESS MODE EXCEPTIONS 


Interrupt 
13 for 
a word 
operand 
at offset 
OFFFFH. 


FLAGS MODIFIED 


None 


extending 
the top bit of AX into all the bits 
ofDX. 


FLAGS UNDEFINED 


None 


PROTECTED 
MODE EXCEPTIONS 


None 


OPERATION 


CWD 
converts 
the signed 
word in AX to a 
signed doubleword 
in DX:AX. 
It does so by 


REAL ADDRESS MODE EXCEPTIONS 


None 


FLAGS MODIFIED 
Sign, zero, auxiliary carry, parity, carry 


FLAGS UNDEFINED 
Overflow 


OPERATION 
DAA should be executed only after an ADD 
instruction which leaves a two-BCD-digit byte 
result in the AL register. The ADD operands 
should consist of two packed BCD digits. In 
this case, the DAA instruction will adjust AL 
to contain 
the correct 
two-digit 
packed 


decimal result. 


1. 
If the lower 4 bits of AL are greater than 
nine, or if the auxiliary carry flag is 1, 
then increment AL by 6, and set the 
auxiliary carry flag. Otherwise, reset the 
auxiliary carry flag. 


2. 
If AL is now greater than 9FH, or if the 
carry flag is set, then increment AL by 
60H, and set the carry flag. Otherwise, 
clear the carry flag. 


PROTECTED 
MODE EXCEPTIONS 
None 


REAL ADDRESS MODE EXCEPTIONS 
None 


DAS-Decimal 
Adjust AL After Subtraction 


FLAGS MODIFIED 
Sign, zero, auxiliary carry, parity, carry 


OPERATION 
DAS should be executed only after a subtrac- 
tion instruction which leaves a two-BCD-digit 
byte result in the AL register. The operands 
should consist of two packed BCD digits. In 
this case, the DAS instruction will adjust AL 
to contain 
the correct 
packed 
two-digit 


decimal result. 


1. 
If the lower four bits of AL are greater 
than 9, or if the auxiliary carry flag is 1, 
then decrement 
AL by 6, and set the 


auxiliary carry flag. Otherwise, reset the 
auxiliary carry flag. 


2. 
If AL is now greater than 9FH, or if the 
carry flag is set, then decrement AL by 
60H, and set the carry flag. Otherwise, 
clear the carry flag. 


FLAGS UNDEFINED 
Overflow 


PROTECTED 
MODE EXCEPTIONS 
None 


REAL ADDRESS MODE EXCEPTIONS 
None 


DEe-Decrement 
by 1 


FE 
/1 
FF 
/1 
48+ 
rw 


DEC eb 
DEC ew 
DEC rw 


2,mem=7 
2,mem=7 
2 


Decrement EA byte by 1 
Decrement EA word by 1 
Decrement word register by 1 


FLAGS MODIFIED 


Overflow, 
sign, zero, auxiliary 
carry, 
parity 


FLAGS UNDEFINED 


None 


OPERATION 


I is subtracted 
from the operand. 
Note 
that 


the carry flag is not changed 
by this instruc- 


tion. If you want Hie carry 
flag set, use the 
SUB instruction 
with a second operand 
of 1. 


PROTECTED 
MODE EXCEPTIONS 


#GP(O) 
if the operand 
is in a non-writable 
segment. 
#GP(O) 
for 
an 
illegal 
memory 


operand 
effective 
address 
in the CS, DS, or 
ES segments; 
#SS(O) for an illegal address 
in 
the SS segment. 


REAL ADDRESS MODE EXCEPTIONS 


Interrupt 
13 for 
a word 
operand 
at 
offset 
OFFFFH. 


DIV - 
Unsigned Divide 


F6 
/6 
F7 
/6 


DIVeb 
DIVew 
14,mem=17 
22,mem=25 
Unsigned 
divide 
AX by EA by1e 
Unsigned 
divide 
DX:AX by EA word 


FLAGS MODIFIED 


None 


FLAGS UNDEFINED 


Overflow, 
sign, zero, auxiliary 
carry, 
parity, 
carry 


OPERATION 


DIY 
performs 
an 
unsigned 
divide. 
The 


dividend 
is implicit; 
only the divisor is given 


as an operand. 
If the 
source 
operand 
is a 
BYTE 
operand, 
divide AX by the byte. The 


quotient 
is stored 
in AL, and the remainder 


is stored 
in AH. 
If the source 
operand 
is a 
WORD 
operand, 
divide DX:AX 
by the word. 


The high-order 
16 bits of the 
dividend 
are 
kept in DX. The quotient 
is stored in AX, and 


the remainder 
is stored 
in DX. Non-integral 


quotients 
are 
truncated 
towards 
O. The 


remainder 
is always less than the dividend. 


PROTECTED 
MODE EXCEPTIONS 


Interrupt 
0 if the quotient 
is too big to fit in 


the designated 
register 
(AL or AX), or if the 


divisor is zero. #GP(O) for an illegal memory 
operand 
effective 
address 
in the CS, DS, or 


ES segments; 
#SS(O) for an illegal address 
in 


the SS segment. 


REAL ADDRESS MODE EXCEPTIONS 


Interrupt 
0 if the quotient 
is too big to fit in 


the designated 
register 
(AL or AX), or if the 


divisor 
is zero. 
Interrupt 
13 for 
a word 


operand 
at offset OFFFFH. 


C8 
dw 
00 
C8 
dw 
01 
C8 
dw 
db 


ENTER 
dw,O 
ENTER 
dw,1 
ENTER 
dW,db 


11 
15 
12+4db 


Make stack frame 
for procedure 
parameters 


Make stack frame 
for procedure 
parameters 


Make stack frame 
for procedure 
parameters 


FLAGS MODIFIED 


None 


FLAGS UNDEFINED 


None 


OPERATION 


ENTER 
is used 
to create 
the 
stack 
frame 


required 
by most block-structured 
high-level 


languages. 
The 
first 
operand 
specifies 
how 
many 
bytes 
of dynamic 
storage 
are 
to be 


allocated 
on the stack 
for the routine 
being 


entered. 
The second operand 
gives the lexical 


nesting 
level of the routine 
within 
the high- 


level-language 
source code. It determines 
how 
many stack frame pointers are copied into the 
new stack 
frame 
from 
the preceding 
frame. 
BP is used as the current 
stack frame pointer. 


If the second 
operand 
is 0, ENTER 
pushes 
BP, sets BP to SP, 
and 
subtracts 
the 
first 


operand 
from SP. 


For example, 
a procedure 
with 
12 bytes 
of 
local variables 
would have an ENTER 
12,0 


instruction 
at its entry 
point and a LEAVE 


instru.::tion 
before 
every RET. 
The 
12 local 


bytes would be addressed 
as negative 
offsets 


from [BP]. 


The formal definition 
of the ENTER 
instruc- 
tion for all cases 
is given 
by the 
following 
listing. 
LEVEL 
denotes 
the 
value 
of the 
second operand. 


LEVEL: = LEVEL MOD 32 


Push BP 


Set a temporary 
value FRAME-PTR 
:= 
SP 


If LEVEL > 0 then 


Repeat (LEVEL -1) times: 


BP:= 
BP - 
2 


Push the word 
pointed 
to by BP 


End repeat 


Push FRAME-PTR 


End if 


BP:= 
FRAME-PTR 


SP := SP - 
first operand. 


PROTECTED 
MODE EXCEPTIONS 


#SS(O) if SP were to go outside 
of the stack 


limit 
within 
any 
part 
of 
the 
instruction 


execution. 


REAL ADDRESS MODE EXCEPTIONS 


None 


FLAGS MODIFIED 
None 


FLAGS UNDEFINED 
None 


If an interrupt 
is used to resume program 
execution after HLT, the saved CS:IP value 
will point to the instruction that follows HL T. 


OPERATION 
Successful execution of HLT causes the iAPX 
286 to cease executing instructions 
and to 


enter a HALT state. Execution resumes only 
upon receipt of an enabled interrupt or a reset. 


PROTECTED 
MODE EXCEPTIONS 
HLT is a privileged instruction. #GP(O) if the 
current privilege level is not O. 


REAL ADDRESS MODE EXCEPTIONS 
None 


IDIV -Signed 
Divide 


F6 
/7 


F7 
/7 


17,mem=20 


25,mem=28 


Signed 
divide 
AX by EA byte (AL=Quo, 


AH=Rem) 
Signed divide DX:AX by EA word (AX=Quo, 
DX=Rem) 


FLAGS MODIFIED 


None 


FLAGS UNDEFINED 


Overflow, 
sign, zero, auxiliary 
carry, 
parity, 


carry 


OPERATION 


IDlY performs 
a signed divide. The dividend 


is implicit; 
only 
the 
divisor 
is given 
as an 


operand. 
If the 
source 
operand 
is a BYTE 


operand, 
divide AX by the byte. The quotient 


is stored 
in AL, and the remainder 
is stored 


in AH. 
If the 
source 
operand 
is a WORO 


operand, 
divide 
OX:AX 
by the 
word. 
The 


high-order 
16 bits of the dividend 
are in OX. 
The 
quotient 
is stored 
in 
AX, 
and 
the 


remainder 
is stored 
in OX. 
Non-integral 


quotients 
are 
truncated 
towards 
O. The 


remainder 
has the same sign as the dividend 


and 
always 
has 
less 
magnitude 
than 
the 


dividend. 


PROTECTED 
MODE EXCEPTIONS 


Interrupt 
0 if the quotient 
is too big to fit in 


the designated 
register 
(AL or AX), or if the 


divisor 
is O. #GP(O) 
for an illegal 
memory 


operand 
effective 
address 
in the CS, OS, or 


ES segments; 
#SS(O) for an illegal address 
in 


the SS segment. 


REAL ADDRESS MODE EXCEPTIONS 


Interrupt 
0 if the quotient 
is too big to fit in 


the designated 
register 
(AL or AX), or if the 


divisor is O. Interrupt 
13 for a word operand 


at offset OFFFFH. 


IMUL-Signed 
Multiply 


Opcode 
Instruction 
Clocks 


F6 
/5 
IMUL eb 
13,mem=16 


F7 
/5 
IMUL ew 
21,mem=24 


68 
/f 
db 
IMUL rw,db 
21,mem=24 


69 
/f 
dw 
IMUL rw,ew,dw 
21,mem=24 


68 
/f 
db 
IMUL rw,ew,db 
21,mem=24 


Signed multiply (AX = AL X EA byte) 
Signed multiply (DXAX = AX X EA word) 
Signed multiply imm. byte into word reg. 
Signed multiply (rw = EA word X imm. word) 
Signed multiply (rw = EA word X imm. byte) 


FLAGS MODIFIED 


Overflow, 
carry 


FLAGS UNDEFINED 


Sign, zero, auxiliary 
carry, 
parity 


OPERATION 


IMUL 
performs 
signed 
multiplication. 
If 


IMUL 
has a single byte source operand, 
then 


the source is multiplied 
by AL and the 16-bit 


signed result is left in AX. Carry and overflow 
are set to 0 if AH is a sign extension 
of AL; 
they are set to 1 otherwise. 


If IMUL 
has a single word source 
operand, 
then the source operand 
is multiplied 
by AX 


and the 32-bit signed result is left in DX:AX. 
DX contains 
the 
high-order 
16 bits 
of the 


product. 
Carry 
and overflow 
are set to 0 if 


DX is a sign extension 
of AX; they are set to 


1 otherwise. 


If IMUL 
has three operands, 
then the second 


operand 
(an effective 
address 
word) is multi- 


plied 
by the 
third 
operand 
(an 
immediate 
word), and the 16 bits of the result are placed 
in the first operand 
(a word register). 
Carry 


and overflow are set to 0 if the result fits in a 
signed word (between 
- 32768 and + 32767, 


inclusive); 
they are set to 1 otherwise. 


The low 16 bits of the product 
of a 16-bit 


signed multiply 
are the same as those of 


an unsigned 
multiply. 
The three operand 


IMUL 
instruction 
can 
be 
used 
for 


unsigned 
operands 
as well. 


PROTECTED 
MODE EXCEPTIONS 


#GP(O) for an illegal memory 
operand 
effec- 


tive address 
in the CS, DS, or ES segments; 
#SS(O) 
for 
an 
illegal 
address 
in the 
SS 


segment. 


REAL ADDRESS MODE EXCEPTIONS 


Interrupt 
13 for 
a word 
operand 
at 
offset 


OFFFFH. 


E4 
db 
EC 
E5 
db 


ED 


IN AL,db 
IN AL,OX 
IN AX,db 
IN AX,OX 


Input byte from immediate port into AL 
Input byte from port OX into AL 
Input word from immediate port into AX 
Input word from port OX into AX 


FLAGS MODIFIED 
None 


FLAGS UNDEFINED 
None 


OPERATION 
IN transfers a data byte or data word from 
the port numbered by the second operand into 
the register (AL or AX) given as the first 
operand. You can access any port from 0 to 
65535 by placing the port number in the DX 
register then using an IN instruction with DX 
as the second parameter. These I/O instruc- 
tions can be shortened by using an 8-bit port 


I/O in the instruction. The upper 8 bits of the 
port address will be zero when an 8-bit port 
I/O is used. 


Intel has reserved I/O port addresses OOF8H 
to OOFFH;they should not be used. 


PROTECTED 
MODE EXCEPTIONS 
#GP(O) if the current privilege level is bigger 
(has less privilege) than 10PL, which is the 
privilege level found in the flags register. 


REAL ADDRESS MODE EXCEPTIONS 
None 


INC-Increment by 1 


FE 
/0 
FF 
/0 
40+ 
rw 


INC eb 
INC 
ew 
INC rw 


2,mem=7 
2,mem=7 
2 


Increment 
EA byte by 1 
Increment 
EA word 
by 1 
Increment 
word 
register 
by 1 


FLAGS MODIFIED 
Overflow, sign, zero, auxiliary carry, parity 


FLAGS UNDEFINED 
None 


OPERATION 
1 is added to the operand. Note that the carry 
flag is not changed by this instruction. If you 
want the carry flag set, use the ADD instruc- 
tion with a second operand of 1. 


PROTECTED 
MODE EXCEPTIONS 


#GP(O) if the operand is in a non-writable 
segment. 
#GP(O) 
for an illegal 
memory 


operand effective address in the CS, DS, or 
ES segments; #SS(O) for an illegal address in 
the SS segment. 


REAL ADDRESS MODE EXCEPTIONS 
Interrupt 
13 for a word operand at offset 


OFFFFH. 


INS/INSB/INSW-Input 
fromPortto String 


INS eb,OX 
INS ew,OX 
INSB 
INSW 


Input byte from port OX into ES:[OI] 
Input word from port OX into ES:[OI] 
Input byte from port OX into ES:[OI] 
Input word from port OX into ES:[OI] 


FLAGS MODIFIED 
None 


FLAGS UNDEFINED 
None 


OPERATION 
INS 
transfers 
data 
from the input 
port 


numbered by the DX register to the memory 
byte or word at ES:DI. The memory operand 
must be addressable from the ES register; no 
segment override is possible. 


INS does not allow the specification of the 
port number as an immediate value. The port 
must be addressed through the DX register. 


After the transfer is made, DI is automati- 
cally advanced. If the direction flag is 0 (eLD 
was executed), DI increments; if the direction 
flag is 1 (STD was executed), DI decrements. 
DI increments or decrements by 1 if a byte 
was moved; by 2 if a word was moved. 


INS can be preceded by the REP prefix for 
block input of ex 
bytes or words. Refer to 


the 
REP 
instruction 
for 
details 
of this 


operation. 


Intel has reserved I/O port addresses 00F8H 
to OOFFH;they should not be used. 


Not all input port devices can handle the 
rate at which this instruction 
transfers 


input data to memory. 


PROTECTED 
MODE EXCEPTIONS 
#GP(O) if ePL > 10PL. #GP(O) if the desti- 
nation is in a non-writable segment. #GP(O) 
for an illegal 
memory 
operand 
effective 


address 
in the es, 
DS, or ES segments; 


#SS(O) for an illegal 
address 
in the SS 
segment. 


REAL ADDRESS MODE EXCEPTIONS 
Interrupt 
13 for a word operand at offset 


OFFFFH. 


INT/INTO-Call 
to Interrupt Procedure 


Opcode 
Instruction 
Clocks(1) 
Description 


CC 
INT 3 
23(2) 
Interrupt 3 (trap to debugger) 


CC 
INT 3 
40 
Interrupt 3, protected mode, same privilege 
CC 
INT 3 
78 
Interrupt 3, protected mode, more priVilege 
CC 
INT 3 
167 
Interrupt 3, protected mode, via task gate 
CD 
db 
INT db 
23(2) 
Interrupt numbered by immediate byte 
CD 
db 
INT db 
40 
Interrupt, protected mode, same privilege 
CD 
db 
INT db 
78 
Interrupt, protected mode, more privilege 
CD 
db 
INT db 
167 
Interrupt, protected mode, via task gate 
CE 
INTO 
24,noj=3(2) 
Interrupt 4 if overflow flag is 1 


(1) = Add one clock for each byte of the next instruction executed. 
(2)= (real mode) 


FLAGS UNDEFINED 


None 


FLAGS MODIFIED 


All if a task 
switch 
takes 
place; 
none 
if no 


task switch occurs. 


OPERATION 


The INT instruction 
generates 
via software 
a 


call to an interrupt 
procedure. 
The immedi- 
ate operand, 
from 0 to 255, gives the index 
number 
into the Interrupt 
Descriptor 
Table 


of the 
interrupt 
routine 
to be called. 
In 


protected 
mode, 
the IDT 
consists 
of 8-byte 


descriptors; 
the descriptor 
for the 
interrupt 


invoked must indicate an interrupt 
gate, a trap 


gate, or a task gate. In real address mode, the 
IDT is an array of 4-byte long pointers 
at the 


fixed location 
OOOOOH. 


The INTO 
instruction 
is identical 
to the INT 


instruction 
except 
that 
the interrupt 
number 


is implicitly 
4, and the interrupt 
is made only 
if the overflow 
flag of the iAPX 
286 is on. 
The clock counts 
for the four forms of INT 


db are valid for INTO, 
with the number 
of 
clocks increased 
by I for the overflow 
flag 


test. 


The first 32 interrupts 
are reserved 
by Intel 


for systems use. Some of these interrupts 
are 


exception 
handlers 
for 
internally-generated 


faults. 
Most 
of these 
exception 
handlers 


should 
not 
be 
invoked 
with 
the 
INT 


instruction. 


Generally, 
interrupts 
behave 
like far CALLs 


except 
that 
the flags register 
is pushed 
onto 
the stack before the return 
address. 
Interrupt 


procedures 
return 
via the IRET 
instruction, 
which pops the flags from the stack. 


In Real Address 
mode, INT pushes the flags, 


CS, and the return 
IP onto the stack in that 


order, then jumps to the long pointer 
indexed 


by the interrupt 
number. 


In Protected 
mode, the precise 
semantics 
of 


the 
INT 
instruction 
are 
given 
by 
the 


following listing: 


INTERRUPT 
Interrupt vector must be within lOT table limits else #GP (vector number X 8+2+ 
EXT) 


Descriptor AR byte must indicate interrupt gate, trap gate, or task gate else #GP (vector number X 8+2+EXT) 
If INT instruction then gate descriptor DPL must be ~ CPL else #GP (vector number X 8+2+EXT) 


Examine CS selector and descriptor given in the gate descriptor: 


Selector must be non-null else #GP (EXT) 
Selector must be within its descriptor table limits else #GP (selector + EXT) 
Descriptor AR byte must indicate code segment else #GP (selector + EXT) 
Segment must be PRESENT else #NP (selector+EXT) 
If code segment is non-conforming and DPL < CPL then 


INTERRUPT TO INNER PRIVILEGE: 
Check selector and descriptor for new stack in current Task State Segment: 
Selector must be non-null else #GP(EXT) 
Selector index must be within its descriptor table limits else #TS (SS selector + EXT) 
Selector's RPL must equal DPL of code segment else #TS (SS selector+EXT) 
Stack segment DPL must equal DPL of code segment else #TS (SS selector + EXT) 
Descriptor must indicate writable data segment else #TS (SS selector + EXT) 
Segment must be PRESENT else #SS (SS selector + EXT) 


New stack must have room for 10 bytes else #SS(O) 
IP must be in CS limit else #GP(O) 
Load new SS and SP value from TSS 
Load new CS and IP value from gate 
Load CS descriptor 
Load SS descriptor 
Push long pointer to old stack onto new stack 
Push return address onto new stack 
Set CPL to new code segment DPL 
Set RPL of CS to CPL 
If INTERRUPT GATE then set the Interrupts Enabled Flag to 0 (disabled) 
Set the Trap Flag to 0 
Set the Nested Task Flag to 0 


If code segment is conforming or code segment DPL = CPL then 


INTERRUPT TO SAME PRIVILEGE LEVEL: 
Current stack limits must allow pushing 6 bytes else #SS(O) 
If interrupt was caused by fault with error code then 


Stack limits must allow push of two more bytes else #SS(O) 


IP must be in CS limit else #GP(O) 
Push flags onto stack 
Push current CS selector onto stack 
Push return offset onto stack 
Load CS:IP from gate 
Load CS descriptor 
Set the RPL field of CS to CPL 
Push error code (if any) onto stack 
If INTERRUPT GATE then set the Interrupts Enabled Flag to 0 (disabled) 
Set the Trap Flag to 0 
Set the Nested Task Flag to 0 


If TASK GATE: 
Examine selector to TSS. given in Task Gate descriptor: 
Must specify global in the local/global bit else #GP (TSS selector) 
Index must be within GOT limits else #GP (TSS selector) 
AR byte must specify available TSS (bottom bits 00001) else #GP (TSS selector) 
Task State Segment must be PRESENT else #NP (TSS selector) 


SWITCH_TASKS with nesting to TSS 
If interrupt was caused by fault with error code then 


Stack limits must allow push of two more bytes else #SS(O) 
Push error code onto stack 


IP must be in CS limit else #GP(O) 


EXT is I if an external event (i.e., a single 
step, an external interrupt, an MF excep- 
tion, or an MP exception) caused the 
interrupt; 0 if not (i.e., an INT instruc- 
tion or other exceptions). 


PROTECTED 
MODE EXCEPTIONS 
#GP, #NP, #SS, and #TS, as indicated in the 
list above. 


REAL ADDRESS MODE EXCEPTIONS 
None 


IRET -Interrupt 
Return 


17,pm=31 
55 
169 


IRET 
IRET 
IRET 


Interrupt 
return 
(far return 
and pop flags) 
Interrupt 
return, 
lesser 
privilege 
Interrupt 
return, 
different 
task (NT =1) 


FLAGS MODIFIED 
Entire flags register popped from stack 


FLAGS UNDEFINED 
None 


OPERATION 
In real address mode, IRET pops IP, CS, and 
FLAGS 
from the stack 
and resumes 
the 


interrupted routine. 


In protected 
mode, 
the action 
of IRET 
depends on the setting of the Nested Task 
Flag (NT). 


If NT=O, 
IRET returns from an interrupt 
procedure without a task switch. The code 
returned to must be equally or less privileged 
than the interrupt routine. 


If NT= 1, IRET reverses the operation of a 
CALL or INT that caused a task switch. The 
task executing IRET has its updated state 
saved in its Task State Segment. This means 
that if the task is re-entered, the code that 
follows IRET will be executed. 


The exact checks and actions performed by 
IRET in protected mode are given on the 
following page. 


INTERRUPT RETURN: 


If Nested Task Flag=1 then 
RETURN FROM NESTED TASK: 
Examine Back Link Selector in TSS addressed by the current Task Register: 


.Must specify global in the local/global bit else #TS (new TSS selector) 
Index must be within GOT limits else #TS (new TSS selector) 
AR byte must specify TSS else #TS (new TSS selector) 
New TSS must be busy else #TS (new TSS selector) 
Task State Segment must be PRESENT else #NP (new TSS selector) 
SWITCH_TASKS without nesting to TSS specified by back link selector 
Mark the task just abandoned as NOT BUSY 
IP must be in code segment limit else #GP(O) 


If Nested Task Flag=O then 


INTERRUPT RETURN ON STACK: 
Second word on stack must be within stack limits else #SS(O) 
Return CS selector RPL must be ~ CPL else #GP (Return selector) 
If return selector RPL = CPL then 
INTERRUPT RETURN TO SAME LEVEL: 
Top 6 bytes on stack must be within limits else #SS(O) 
Return CS selector (at SP+2) must be non-null else #GP(O) 
Selector index must be within its descriptor table limits else #GP( Return selector) 
AR byte must indicate code segment else #GP (Return selector) 
If non-conforming then code segment DPL must = CPL else #GP (Return selector) 
If conforming then code segment DPL must be =:; CPL else #GP (Return selector) 
Segment must be PRESENT else #NP (Return selector) 
IP must be in code segment limit else #GP(O) 
Load CS:IP from stack 
Load CS-cache with new code segment descriptor 
Load flags with third word on stack 
Increment SP by 6 
Else 


INTERRUPT RETURN TO OUTER PRIVILEGE LEVEL: 
Top 10 bytes on stack must be within limits else #SS(O) 
Examine return CS selector (at SP+2) and associated descriptor: 
Selector must be non-null else #GP(O) 
Selector index must be within its descriptor table limits else #GP (Return selector) 
AR byte must indicate code segment else #GP (Return selector) 
If non-conforming then code segment DPL must = CS selector RPL else #GP (Return selector) 
If conforming then code segment DPL must be > CPL else #GP (Return selector) 
Segment must be PRESENT else #NP (Return selector) 
Examine return SS selector (at SP+8) and associated descriptor: 
Selector must be non-null else #GP(O) 
Selector index must be within its descriptor table limits else #GP (SS selector) 
Selector RPL must equal the RPL of the return CS selector else #GP (SS selector) 
AR byte must indicate a writable data segment else #GP (SS selector) 
Stack segment DPL must equal the RPL of the return CS selector else #GP (SS selector) 
SS must be PRESENT else #NP (SS selector) 


IP must be in code segment limit else #GP(O) 
Load CS:IP from stack 
Load flags with values at (SP+4) 
Load SS:SP from stack 
Set CPL to the RPL of the return CS selector 
Load the CS-cache with the CS descriptor 
Load the SS-cache with the SS descriptor 
For each of ES and OS: 
If the current register setting is not valid for the outer level, then zero the register and 
clear the valid flag 
To be valid, the register setting must satisfy the following properties: 


Selector index must be within descriptor table limits 


II :>t1yrmnll 
I:> Ol:lla or non-comormlng 
coae, men: 


DPL must be 2: CPL, or 
DPL must be 2: RPL. 


PROTECTED 
MODE EXCEPTIONS 


#GP, #NP, or #88, as indicated in the above 
listing. 


REAL ADDRESS MODE EXCEPTIONS 
Interrupt 
13 if the stack is popped when it 


has offset OFFFFH. 


Jcond-Jump 
Short If Condition Met 


Opcode 
Instruction 
Clocks- 
Description 


77 
cb 
JA cb 
7,noj=3 
Jump short if above (CF=O and ZF=O) 
73 
cb 
JAE cb 
7,noj=3 
Jump short if above or equal (CF=O) 
72 
cb 
JB cb 
7,noj=3 
Jump short if below (CF=1) 


76 
cb 
JBE cb 
7,noj=3 
Jump short if below or equal (CF= 1 or ZF= 1) 
72 
cb 
JC cb 
7,noj=3 
Jump short if carry (CF=1) 


E3 
cb 
JCXZ cb 
8,noj=4 
Jump short if CX register is zero 


74 
cb 
JE cb 
7,noj=3 
Jump short if equal (ZF=1) 


7F 
cb 
JG cb 
7,noj=3 
Jump short if greater (ZF=O and SF=OF) 
70 
cb 
JGE cb 
7,noj=3 
Jump short if greater or equal (SF=OF) 
7C 
cb 
JL cb 
7,noj=3 
Jump short if less (SF/=OF) 


7E 
cb 
JLE cb 
7,noj=3 
Jump short if less or equal (ZF=1 or SF/=OF) 
76 
cb 
JNA cb 
7,noj=3 
Jump short if not above (CF=1 or ZF=1) 
72 
cb 
JNAE cb 
7,noj=3 
Jump short if not above/equal (CF= 1) 
73 
cb 
JNB cb 
7,noj=3 
Jump short if not below (CF=O) 


77 
cb 
JNBE cb 
7,noj=3 
Jump short if not below/equal 
(CF=O 
and 


ZF=O) 


73 
cb 
JNC cb 
7,noj=3 
Jump short if not carry (CF=O) 


75 
cb 
JNE cb 
7,noj=3 
Jump short if not equal (ZF=O) 


7E 
cb 
JNG cb 
7,noj=3 
Jump short if not greater (ZF=1 or SF/=OF) 
7C 
cb 
JNGE cb 
7,noj=3 
Jump short if not greater/equal (SF/=OF) 
70 
cb 
JNL cb 
7,noj=3 
Jump short if not less (SF=OF) 


7F 
cb 
JNLE cb 
7,noj=3 
Jump 
short 
if not less/equal 
(ZF=O 
and 


SF=OF) 


71 
cb 
JNO cb 
7,noj=3 
Jump short if not overflow (OF=O) 
7B 
cb 
JNP cb 
7,noj=3 
Jump short if not parity (PF=O) 


79 
cb 
JNS cb 
7,noj=3 
Jump short if not sign (SF=O) 


75 
cb 
JNZ cb 
7,noj=3 
Jump short if not zero (ZF=O) 


70 
cb 
JO cb 
7,noj=3 
Jump short if overflow (OF=1) 


7A 
cb 
JP cb 
7,noj=3 
Jump short if parity (PF=1) 


7A 
cb 
JPE cb 
7,noj=3 
Jump short if parity even (PF=1) 


7B 
cb 
JPO cb 
7,noj=3 
Jump short if parity odd (PF=O) 


78 
cb 
JS cb 
7,noj=3 
Jump short if sign (SF=1) 


74 
cb 
JZ cb 
7,noj=3 
Jump short if zero (ZF=1) 


FLAGS MODIFIED 
None 


OPERATION 
Conditional 
jumps 
(except 
for 
JCXZ, 


explained 
below) 
test 
the 
flags, 
which 


presumably have been set in some meaning- 
ful way by a previous instruction. The condi- 
tions 
for 
each 
mnemonic 
are 
given 
in 


parentheses after each description above. The 


terms "less" 
and "greater" 
are used for 


comparing 
signed integers; 
"above" 
and 


"below" are used for unsigned integers. 


If the given condition is true, then a short 
jump is made to the label provided as the 
operand. The operand must be in the range 
from 126 bytes before the instruction to 127 
bytes beyond the instruction. This range is 
necessary for the assembler to construct a one- 
byte signed displacement from the end of the 
current 
instruction. 
If the label is out-of- 


range, or if the label is aFAR 
label, then you 
must perform 
a jump 
with the opposite 


FLAGS UNDEFINED 
None 


condition around an unconditional jump to the 
non-short label. 


Because there are, in many instances, several 
ways to interpret 
a particular 
state of the 


flags, 
ASM286 
provides 
more 
than 
one 


mnemonic for most of the conditional jump 
opcodes. 
For 
example, 
consider 
that 
a 


programmer 
who has 
just 
compared 
a 


character 
to another in AL might wish to 


jump 
if the two were equal 
(1E), 
while 


another programmer who had just ANDed 
AX with a bit field mask would prefer to 
consider only whether the result was zero or 
not (he would use JZ, a synonym for JE). 


JCXZ 
differs from the other 
conditional 


jumps in that it actually tests the contents of 
the CX register for zero, rather than interro- 


gating the flags. This instruction 
is useful 
following a conditionally 
repeated 
string 


operation (REPE SCASB, for example) or a 
conditional 
loop 
instruction 
(such 
as 
LOOPNE 
TARGETLABEL). 
These 
instructions implicitly use a limiting count in 
the CX register. Looping (repeating) 
ends 


when either the CX register goes to zero or 
the condition specified in the instruction (flags 
indicating equals in both of the above cases) 
occurs. JCXZ 
is useful when the termina- 


tions must be handled differently. 


PROTECTED 
MODE EXCEPTIONS 
#GP(O) if the offset jumped to is beyond the 
limits of the code segment. 


REAL ADDRESS MODE EXCEPTIONS 
None 


JMP-Jump 


Opcode 
Instruction 
Clocks' 
Description 


EB 
cb 
JMP cb 
7 
Jump short 


EA 
cd 
JMP cd 
180 
Jump to task gate 


E9 
cw 
JMP cw 
7 
Jump near 


EA 
cd 
JMP cd 
11,pm=23 
Jump far (4-byte immediate address) 


EA 
cd 
JMP cd 
38 
Jump to call gate, same privilege 


EA 
cd 
JMP cd 
175 
Jump via Task State Segment 


FF 
/4 
JMP ew 
7,mem=11 
Jump near to EA word (absolute offset) 
FF 
/5 
JMP md 
15,pm=26 
Jump far (4-byte address in memory double- 
word) 


FF 
/5 
JMP md 
41 
Jump to call gate, same privilege 


FF 
/5 
JMP md 
178 
Jump via Task State Segment 


FF 
/5 
JMP md 
183 
Jump to task gate 


'Add one clock for every byte of the next instruction executed. 


FLAGS MODIFIED 
All if a task switch takes place; none if no 
task switch occurs. 


FLAGS UNDEFINED 
None 


OPERATION 
The JMP 
instruction 
transfers 
program 


control 
to a different 
instruction 
stream 


without recording any return information. 


For inter-segment jumps, the destination can 
be a code segment, a call gate, a task gate, or 
a Task State Segment. The latter two desti- 
nations cause a complete task switch to take 
place. 


Control transfers within a segment use the 
JMP cwor JMP cb forms. The operand is a 
relative offset added modulo 65536 to the 
offset of the instruction that follows the JMP. 
The result is the new value of IP; the value of 
CS is unchanged. The byte operand is sign- 
extended before it is added; it can therefore 
be used to address labels within 128 bytes in 
either direction from the next instruction. 


Indirect jumps w.thin a segment use the JMP 
ew form. The contents 
of the register 
or 


memory operand is an absolute offset, which 
becomes the new value of IP. Again, CS is 
unchanged. 


Inter-segment jumps in real address mode 
simply set IP to the offset part of the long 
pointer and set CS to the selector part of the 
pointer. 


In protected mode, inter-segment jumps cause 
the iAPX 
286 to consult 
the descriptor 


addressed by the selector part of the long 
pointer. The AR byte of the descriptor deter- 
mines the type of the destination. (See table 
B-3 for possible values of the AR byte.) 
Following are the possible destinations: 


1. 
Code segment-The 
addressability 
and 
visibility of the destination are verified, 
and CS and IP are loaded with the desti- 
nation pointer values. 


2. 
Call gate-The 
offset part of the desti- 


nation pointer is ignored. After checking 
for validity, the processor jumps to the 
location stored in the call gate descriptor. 


3. 
Task gate-The 
current task's state is 
saved in its Task State Segment (TSS), 
and the TSS named in the task gate is 
used to load a new context. The outgoing 
task is marked not busy, the new TSS is 
marked busy, and execution resumes at 
the point at which the new task was last 
suspended. 


4. 
TSS- 
The current task is suspended and 
the new task is initiated as in 3 above 
except that there is no intervening gate. 


Following is the list of checks and actions 
taken for long jumps in protected mode: 


JUMP FAR: 
If indirect then check access of EA doubleword #GP(O) or #SS(O) if limit violation 
Destination selector is not null else #GP(O) 
Destination selector index is within its descriptor table limits else #GP (selector) 
Examine AR byte of destination selector for legal values: 


JUMP CONFORMING CODE SEGMENT: 
Descriptor DPL must be ~ CPL else #GP (selector) 
Segment must be PRESENT else #NP (selector) 
IP must be in code segment limit else #GP(O) 
Load CS:IP from destination pointer 
Load CS-cache with new segment descriptor 
Set RPL field of CS register to CPL 


JUMP NONCONFORMING CODE SEGMENT: 
RPL of destination selector must be :::;CPL else #GP (selector) 
Descriptor DPL must = CPL else #GP (selector) 
Segment must be PRESENT else #NP (selector) 
IP must be in code segment limit else #GP(O) 
Load CS:IP from destination pointer 
Load CS-cache with new segment descriptor 
Set RPL field of CS register to CPL 


JUMP TO CALL GATE: 
Descriptor DPL must be ~ CPL else #GP (gate selector) 
Descriptor DPL must be ~ gate selector RPL else #GP (gate selector) 
Gate must be PRESENT else #NP (gate selector) 
Examine selector to code segment given in call gate descriptor: 
Selector must not be null else #GP(O) 
Selector must be within its descriptor table limits else #GP (CS selector) 
Descriptor AR byte must indicate code segment else #GP (CS selector) 
If non-conforming, code segment descriptor DPL must = CPL else #GP (CS selector) 
If conforming, then code segment descriptor DPL must be :::;CPL else #GP (CS selector) 
Code Segment must be PRESENT else #NP (CS selector) 
IP must be in code segment limit else #GP(O) 
Load CS:IP from call gate 


Load CS-cache with new code segment 
Set RPL of CS to CPL 


JUMP TASK GATE: 
Gate descriptor DPL must be ~ CPL else #GP (gate selector) 
Gate descriptor DPL must be ~ gate selector RPL else #GP (gate selector) 
Task Gate must be PRESENT else #NP (gate selector) 
Examine selector to TSS, given in Task Gate descriptor: 
Must specify global in the local/global bit else #GP (TSS selector) 
Index must be within GOT limits else #GP (TSS selector) 
Descriptor AR byte must specify available TSS (bottom bits 00001) else #GP (TSS selector) 
Task State Segment must be PRESENT else #NP (TSS selector) 


SWITCH_TASKS 
without 
nesting 
to TSS 


IP must be in code segment 
limit else #GP(O) 


JUMP 
TASK STATE 
SEGMENT: 


TSS DPL must be ~ 
CPL else #GP 
(TSS selector) 


TSS DPL must be ~ 
TSS selector 
RPL else #GP 
(TSS selector) 
Descriptor 
AR byte must specify 
available 
TSS (bottom 
bits 00001) else #GP 
(TSS selector) 
Task State Segment 
must be PRESENT 
else #NP 
(TSS selector) 
SWITCH_TASKS 
with nesting 
to TS. 


IP must be in code segment 
limit else #GP(O) 


PROTECTED 
MODE EXCEPTIONS 


For NEAR jumps, #GP(O) if the destination 
offset is beyond the limits of the current code 
segment. For FAR jumps, #GP, #NP, #SS, 
and #TS, as indicated above. #UD if indirect 
inter-segment jump operand is a register. 


REAL ADDRESS MODE EXCEPTIONS 
#UD if indirect inter-segment jump operand 
is a register. 


FLAGS MODIFIED 


None 


FLAGS UNDEFINED 


None 


OPERATION 


The low byte of the flags word is transferred 
to AH. The bits, from top to bottom, 
are as 


follows: 
sign, 
zero, 
indeterminate, 
auxiliary 


carry, 
indeterminate, 
parity, 
indeterminate, 
and carry. 


PROTECTED 
MODE EXCEPTIONS 


None 


REAL ADDRESS MODE EXCEPTIONS 


None 


Load: high(rw)= 
Access Rights byte,selector 


ew 


FLAGS MODIFIED 
Zero 


FLAGS UNDEFINED 
None 


OPERATION 
LAR expects the second operand (memory or 
register word) to contain a selector. If the 
associated descriptor is visible at the current 
privilege level and at the selector RPL, then 
the access rights byte of the descriptor 
is 


loaded into the high byte of the first (regis- 
ter) operand, and the low byte is set to zero. 
The zero flag is set if the loading 
was 
performed (i.e., the selector index is within the 


table limit, descriptor 
DPL > CPL, and 


descriptor DPL > selector RPL); the zero 
flag is cleared otherwise. 


Selector operands cannot cause protection 
exceptions. 


PROTECTED 
MODE EXCEPTIONS 
#GP(O) for an illegal memory operand effec- 
tive address in the CS, DS, or ES segments; 
#SS(O) for an illegal 
address 
in the SS 


segment. 


REAL ADDRESS MODE EXCEPTION 
INTERRUPT 
6; LAR is unrecognized 
in 


Real Address mode. 


LDS/LES-Load 
DoublewordPointer 


C5 
If 


C4 
If 


7,pm=21 


7,pm=21 


Description 


Load 
EA doubleword 
into 
OS and 
word 


register 
Load 
EA doubleword 
into 
ES and 
word 


register 


FLAGS MODIFIED 
None 


FLAGS UNDEFINED 
None 


OPERATION 
The four-byte pointer at the memory location 
indicated by the second operand is loaded into 
a segment register and a word register. The 
first word of the pointer (the offset) is loaded 
into the register indicated by the first operand. 
The last word of the pointer (the selector) is 
loaded into the segment register (DS or ES) 
given by the instruction opcode. 


When the segment 
register 
is loaded, 
its 


associated cache is also loaded. The data for 
the cache is obtained from the descriptor table 
entry for the selector given. 


A null selector (values 0000-0003) 
can be 


loaded into DS or ES without a protection 
exception. Any memory reference using such 
a segment register value will cause a #GP(O) 
exception but will not result in a memory 
reference. The saved segment register value 
will be null. 


Following is a list of checks and actions taken 
when loading the DS or ES registers: 


If selector is non-null then: 


Selector index must be within its descriptor table limits else #GP (selector) 
Examine descriptor AR byte: 


Data segment or readable non-conforming code segment 


Descriptor DPL 2': CPL else #GP (selector) 
Descriptor DPL 2': selector RPL else #GP (selector) 


Readable conforming code segment 


No DPL, RPL, or CPL checks 


Segment must be present else #NP (selector) 
Load registers from operand 
Load segment register descriptor cache 


If selector is null then: 
Load registers from operand 
Mark segment register cache as invalid 


PROTECTED 
MODE EXCEPTIONS 


#GP or #NP, as indicated in the list above. 
#GP(O) or #SS(O) if operand 
lies outside 


segment limit. #UD if the source operand is 
a register. 


REAL ADDRESS MODE EXCEPTIONS 
Interrupt 
13 for operand at offset OFFFFH 


or OFFFDH. #UD if the source operand is a 
register. 


FLAGS MODIFIED 


None 


FLAGS UNDEFINED 


None 


OPERATION 


The 
effective 
address 
(offset 
part) 
of the 


second operand 
is placed 
in the first 
(regis- 


ter) operand. 


PROTECTED 
MODE EXCEPTIONS 


#UD if second operand 
is a register. 


REAL ADDRESS MODE EXCEPTIONS 


#UD if second operand 
is a register. 


LEAVE - 
High Level Procedure Exit 


FLAGS MODIFIED 


None 


caller's 
frame, 
and 
a subsequent 
RET 
nn 
instruction 
will 
follow 
the 
back-link 
and 


remove 
any arguments 
pushed 
on the stack 


for the exiting procedure. 
FLAGS UNDEFINED 


None 


OPERATION 


LEAVE 
is the complementary 
operation 
to 


ENTER; 
it 
reverses 
the 
effects 
of 
that 


instruction. 
By copying 
BP to SP , LEAVE 


releases 
the stack space used by a procedure 


for its dynamics 
and display. 
The old frame 


pointer 
is now popped 
into BP, restoring 
the 


PROTECTED 
MODE EXCEPTIONS 


#SS(O) 
if BP does 
not 
point 
to a location 


within the current 
stack segment. 


REAL ADDRESS MODE EXCEPTIONS 


Interrupt 
13 for 
a word 
operand 
at 
offset 


OFFFFH. 


LGDT/LIDT -Load 
Global/Interrupt 
Descriptor Table Register 


OF 
01 
/2 
OF 
01 
/3 


LGDT m 
L1DT m 
Load m into Global Descriptor Table reg 
Load m into Interrupt Descriptor Table reg 


FLAGS MODIFIED 
None 


FLAGS UNDEFINED 
None 


OPERATION 
The Global or the Interrupt Descriptor Table 
Register 
is loaded 
from the six bytes of 


memory pointed to by the effective address 
operand. The LIMIT field of the descriptor 
table register loads from the first word; the 
next three bytes go to the BASE field of the 
register; the last byte is ignored. 


LGDT and LIDT appear in operating systems 
software; they are not used in application 
programs. 


PROTECTED 
MODE EXCEPTIONS 


#GP(O) if the current privilege level is not O. 


#GP(O) for an illegal memory operand effec- 
tive address in the CS, DS, or ES segments; 
#SS(O) for an illegal 
address 
in the SS 
segment. 


REAL ADDRESS MODE EXCEPTIONS 
These instructions are valid in Real Address 
mode to allow the power-up initialization for 
Protected mode. 


Interrupt 
13 for a word operand at offset 


OFFFFH. 
#UD 
if source 
operand 
is a 


register. 


LLDT -Load 
Local Descriptor Table Register 


Load selector ew into Local Descriptor Table 
register 


FLAGS MODIFIED 
None 


FLAGS UNDEFINED 
None 


OPERATION 
The word operand (memory or register) to 
LLDT should contain a selector pointing to 
the Global Descriptor Table. The GDT entry 
should be a Local Descriptor Table. If so, then 
the Local Descriptor Table Register is loaded 
from the entry. The descriptor cache entries 
for DS, ES, SS, and CS are not affected. The 
LDT field in the TSS is not changed. 


The selector operand is allowed to be zero. In 
that case, the Local Descriptor Table Regis- 
ter is marked invalid. All descriptor refer- 


ences (except by LAR, VERR, 
VERW or 
LSL instructions) will cause a #GP fault. 


LLDT appears in operating systems software; 
it does not appear in applications programs. 


PROTECTED 
MODE EXCEPTIONS 
#GP(O) if the current privilege level is not O. 
#GP (selector) if the selector operand does not 
point into the Global Descriptor Table, or if 
the entry in the GDT is not a Local Descrip- 
tor Table. #NP (selector) if LDT descriptor 
is not present. #GP(O) for an illegal memory 
operand effective address in the CS, DS, or 
ES segments; #SS(O) for an illegal address in 
the SS segment. 


REAL ADDRESS MODE EXCEPTIONS 
Interrupt 6; LLDT is not recognized in Real 
Address Mode. 


FLAGS MODIFIED 


None 


FLAGS UNDEFINED 


None 


OPERATION 


The Machine 
Status 
Word is loaded from the 


source operand. 
This instruction 
may be used 


to switch 
to protected 
mode. 
If so, then 
it 


must be followed 
by an intra-segment 
jump 


to flush the instruction 
queue. LMSW 
will not 


switch back to Real Address 
Mode. 


LMSW 
appears 
only 
in operating 
systems 


software. 
It does not appear 
in applications 


programs. 


PROTECTED 
MODE EXCEPTIONS 


#GP(O) if the current 
privilege 
level is not O. 
#GP(O) for an illegal memory 
operand 
effec- 
tive address 
in the CS, DS, or ES segments; 
#SS( 0) 
for 
an 
illegal 
address 
in the 
SS 


segment. 


REAL ADDRESS MODE EXCEPTIONS 


Interrupt 
13 for 
a word 
operand 
at offset 


OFFFFH. 


LOCK - 
Assert BUS LOCK Signal 


FLAGS MODIFIED 
None 


FLAGS UNDEFINED 
None 


OPERATION 
LOCK is a prefix that will cause the BUS 
LOCK signal of the iAPX 286 to be asserted 
for the duration of the instruction which it 
precedes. In a multiprocessor environment, 
this signal should be used to ensure that the 
iAPX 286 has exclusive use of any shared 
memory while BUS LOCK is asserted. The 
read-modify-write sequence typically used to 
implement TEST-AND-SET in the iAPX 286 
is the XCHG 
instruction. 
XCHG 
always 


asserts BUS LOCK regardless of the presence 
or absence of the LOCK prefix. 


Assert 
BUSLOCK 
signal 
for 
the 
next 
instruction 


The LOCK prefix does not lock all bus cycles 
of all instructions. The bus will not remain 
locked for all bus cycles while creating the 
following 
instructions 
with 
multi-word 
operands: 
CMPS, 
SCAS, 
STOS, 
LaDS, 
PUSHA, 
paPA, 
CALL, 
RET, 
IRET, 
ENTER, 
BOUND, 
PUSH, 
POP, and any 
ESC. 


PROTECTED 
MODE EXCEPTIONS 
#GP(O) if the current privilege level is bigger 
(less privileged) than the I/O privilege level. 


Other exceptions may be generated 
by the 
subsequent (locked) instruction. 


REAL ADDRESS MODE EXCEPTIONS 
None. Exceptions may still be generated by 
the subsequent (locked) instruction. 


LODS/LODSB/LODSW-Load 
StringOperand 


LOOS mb 
LOOS mw 
Loose 
LOOSW 


Load byte [SI] into AL 
Load byte [SI] into AL 
Load byte OS:[SI] into AL 
Load byte OS:[SI] into AL 


FLAGS MODIFIED 


None 


or decrements 
by 1 if a byte was moved; by 2 


if a word was moved. 


FLAGS UNDEFINED 


None 


PROTECTED 
MODE EXCEPTIONS 


#GP(O) for an illegal memory 
operand 
effec- 
tive address 
in the CS, DS, or ES segments; 


#SS(O) 
for 
an 
illegal 
address 
in the 
SS 
segment. 


OPERATION 


LODS 
loads the AL or AX register 
with the 


memory 
byte or word at SI. After 
the trans- 
fer is made, SI is automatically 
advanced. 
If 


the direction 
flag is 0 (CLD 
was executed), 
SI increments; 
if the direction 
flag is 1 (STD 


was executed), 
SI decrements. 
SI increments 


REAL ADDRESS MODE EXCEPTIONS 


Interrupt 
13 for 
a word 
operand 
at 
offset 


OFFFFH. 


LOOP/LOOPcond-Loop 
Controlwith CX Counter 


Opcode 
Instruction 
Clocks 


E2 
cb 
LOOP 
cb 
8,noj=4 


E1 
cb 
LOOPE 
cb 
8,noj=4 


EO 
cb 
LOOPNE 
cb 
8,noj=4 


EO 
cb 
LOOPNZ 
cb 
8,noj=4 


E1 
cb 
LOOPZ 
cb 
8,noj=4 


DEC CX; jump 
short 
if CX*O 
DEC CX; jump short 
if CX*O 
and equal (ZF=1) 


DEC CX; jump 
short 
if CX * 0 and 
not equal 
(ZF=O) 
DEC CX; jump 
short 
if CX*O 
and ZF=O 


DEC CX; jump short 
if CX*O 
and zero (ZF=1) 


FLAGS MODIFIED 


None 


FLAGS UNDEFINED 


None 


OPERATION 


LOOP 
first 
decrements 
the ex 
register 


without 
changing 
any of the 
flags. 
Then, 
conditions 
are 
checked 
as 
given 
in 
the 


description 
above for the form of LOOP being 


used. If the conditions 
are met, then an intra- 


segment 
jump 
is made. 
The 
destination 
to 


LOOP 
is in the 
range 
from 
126 (decimal) 


bytes 
before 
the 
instruction 
to 
127 bytes 
beyond the instruction. 


The 
LOOP 
instructions 
are 
intended 
to 


provide iteration 
control 
and to combine 
loop 


index management 
with conditional 
branch- 
ing. To use the LOOP 
instruction 
you load an 
unsigned 
iteration 
count 
into ex, then 
code 


the LOOP 
at the end of a series of instruc- 


tions to be iterated. 
The destination 
of LOOP 


is a label that points to the beginning 
of the 


iteration. 


PROTECTED 
MODE EXCEPTIONS 


#GP(O) if the offset jumped 
to is beyond 
the 


limits of the current 
code segment. 


REAL ADDRESS MODE EXCEPTIONS 


None 


OF 
03 
If 


FLAGS MODIFIED 
Zero 


FLAGS UNDEFINED 
None 


OPERATION 
If the descriptor denoted by the selector in the 
second (memory or register) operand is visible 
at the CPL, a word that consists of the limit 
field of the descriptor is loaded into the left 
operand, which must be a register. The value 
is the limit field for that segment. The zero 
flag is set if the loading was performed (that 
is, if the selector is non-null, the selector index 
is within the descriptor 
table 
limits, 
the 


descriptor 
is a non-conforming 
segment 


descriptor 
with 
DPL 
> CPL, 
and 
the 


descriptor DPL > selector RPL); the zero 
flag is cleared otherwise. 


The LSL instruction returns only the limit 
field of segments, task state segments, and 
local descriptor tables. The interpretation 
of 


the limit 
value 
depends 
on the 
type 
of 


segment. 


The selector operand's value cannot result in 
a protection exception. 


PROTECTED 
MODE EXCEPTIONS 
#GP(O) for an illegal memory operand effec- 
tive address in the CS, DS, or ES segments; 
#SS(O) for an illegal 
address 
in the SS 


segment. 


REAL ADDRESS MODE EXCEPTIONS 
Interrupt 
6; LSL is not recognized in Real 


Address mode. 


FLAGS MODIFIED 
None 


FLAGS UNDEFINED 
None 


OPERATION 
The Task Register is loaded from the source 
register 
or memory location 
given by the 


operand. The loaded TSS is marked busy. A 
task switch operation does not occur. 


LTR 
appears 
only in operating 
systems 
software. 
It is not used in applications 
programs. 


Load EA word into Task Register 


PROTECTED 
MODE EXCEPTIONS 
#GP for an illegal memory operand effective 
address in the CS, DS, or ES segments; #SS 
for an illegal address in the SS segment. 


#GP(O) if the current privilege level is not O. 
#GP (selector) if the object named by the 
source selector is not a TSS or is already busy. 
#NP (selector) 
if the TSS is marked 
not 


present. 


REAL ADDRESS MODE EXCEPTIONS 
Interrupt 6; LTR is not recognized in Real 
Address mode. 


Opcode 
Instruction 
Clocks 
Description 


88 
/f 
MOV eb,fb 
2,mem=3 
Move byte register into EA byte 


89 
/f 
MOV eW,rw 
2,mem=3 
Move word register into EA word 


8A 
/f 
MOV rb,eb 
2,mem=5 
Move EA byte into byte register 


88 
/r 
MOV rw,ew 
2,mem=5 
Move EA word into word register 
" 


8C 
/0 
MOV eW,ES 
2,mem=3 
Move ES into EA word 


8C 
/1 
MOVew,CS 
2,mem=3 
Move CS into EA word 


8C 
/2 
MOVew,SS 
2,mem=3 
Move SS into EA word 


8C 
/3 
MOVew,OS 
2,mem=3 
Move OS into EA word 


8E 
/0 
MOV ES,mw 
5,pm=19 
Move memory word into ES 


8E 
/0 
MOV ES,rw 
2,pm=17 
Move word register into ES 


8E 
/2 
MOV SS,mw 
5,pm=19 
Move memory word into SS 


8E 
/2 
MOV SS,rw 
2,pm=17 
Move word register into SS 


8E 
/3 
MOV OS,mw 
5,pm=19 
Move memory word into OS 


8E 
/3 
MOV OS,rw 
2,pm=17 
Move word register into OS 


AO 
dw 
MOV AL,xb 
5 
Move byte variable (offset dw) into AL 


A1 
dw 
MOV AX,xw 
5 
Move word variable (offset dw) into AX 


A2 
dw 
MOV xb,AL 
3 
Move AL into byte variable (offset dw) 
A3 
dw 
MOV xW,AX 
3 
Move AX into word register (offset dw) 
80+ 
rb 
db 
MOV rb,db 
2 
Move immediate byte into byte register 
88+ 
rw 
dw 
MOV rw,dw 
2 
Move immediate word into word register 
C6 
/0 
db 
MOV eb,db 
2,mem=3 
Move immediate byte into EA byte 


C7 
/0 
dw 
MOVew,dw 
2,mem=3 
Move immediate word into EA word 


FLAGS MODIFIED 


None 


A null selector 
(values 
0000-0003) 
can 
be 


loaded 
into 
DS 
and 
ES registers 
without 


causing 
a protection 
exception. 
Any use of a 
segment 
register 
with 
a null 
selector 
to 
address 
memory 
will cause 
#GP(O) 
excep- 
tion. No memory 
reference 
will occur. 


FLAGS UNDEFINED 


None 


OPERATION 


The 
second 
operand 
is copied 
to the 
first 
operand. 
Any move into SS will inhibit 
all interrupts 


until 
after 
the 
execution 
of 
the 
next 
instruction. 
If the destination 
operand 
is a segment 
regis- 


ter 
(DS, 
ES, 
or SS), 
then 
the 
associated 


segment 
register 
cache 
is also loaded. 
The 
data 
for 
the 
cache 
is obtained 
from 
the 
descriptor 
table entry for the selector 
given. 


Following 
is a listing 
of the protected-mode 


checks and actions 
taken 
in the loading 
of a 
segment 
register: 


If 55 is loaded: 
If selector is null then #GP(O) 
Selector index must be within its descriptor table limits else #GP (selector) 
Selector's RPL must equal CPL else #GP (selector) 
AR byte must indicate a writable data segment else #GP (selector) 
OPL in the AR byte must equal CPL else #GP (selector) 
Segment must be marked PRESENT else #S5 (selector) 
Load 5S with selector 


Load SS cache with descriptor 
If ES or OS is loaded with non-null selector 
Selector index must be within its descriptor table limits else #GP (selector) 
AR byte must indicate data or readable code segment else #GP (selector) 
If data or non-conforming code, then both the RPL and the 


CPL must be less than or equal to OPL in AR byte else #GP (selector) 


Segment must be marked PRESENT else #NP (selector) 
Load segment register with selector 
Load segment register cache with descriptor 
If ES or OS is loaded with a null selector: 
Load segment register with selector 
Clear descriptor valid bit 


PROTECTED 
MODE EXCEPTIONS 


If a segment 
register 
is being 
loaded, 
#GP, 
#SS, 
and 
#NP, 
as described 
in the 
listing 


above. 


memory 
operand 
effective 
address 
in the CS, 


DS, or ES segments; 
#SS(O) 
for an illegal 


address 
in the SS segment. 


Otherwise, 
#GP(O) 
if the destination 
is in a 


non-writable 
segment. 
#GP(O) 
for an illegal 


REAL ADDRESS MODE EXCEPTIONS 


Interrupt 
13 for 
a word 
operand 
at 
offset 


OFFFFH. 


MOVS/MOVSB/MOVSW-Move 
DatafromString 
to String 


Opcode 
Instruction 
Clocks 
Description 


A4 
MOV5 mb,mb 
5 
Move byte [51] to E5:[DI] 
- 


A5 
MOV5 mW,mw 
5 
Move word [51] to E5:[DI] 


A4 
MOV5B 
5 
Move byte D5:[SI] to ES:[DI] 


A5 
MOVSW 
5 
Move word DS:[SI] to ES:[DI] 


FLAGS MODIFIED 


None 


FLAGS UNDEFINED 


None 


OPERATION 


MOYS copies the byte or word at [SI) to the 
byte 
or word 
at 
ES:[DI). 
The 
destination 


operand 
must 
be addressable 
from 
the 
ES 


register; 
no segment 
override 
is possible. 
A 


segment 
override 
may be used for the source 


operand. 


After the data movement 
is made, both SI and 


DI are automatically 
advanced. 
If the direc- 


tion flag is 0 (CLD 
was executed), 
the regis- 


ters increment; 
if the direction 
flag is 1 (STD 


was executed), 
the registers 
decrement. 
The 


registers 
increment 
or decrement 
by 
1 if a 
byte was moved; by 2 if a word was moved. 


MOYS 
can be preceded 
by the REP 
prefix 


for block movement 
of CX bytes 
or words. 
Refer to the REP instruction 
for details of this 


operation. 


PROTECTED 
MODE EXCEPTIONS 


#GP(O) if the destination 
is in a non-writable 
segment. 
#GP(O) 
for 
an 
illegal 
memory 


operand 
effective 
address 
in the CS, DS, or 
ES segments; 
#SS(O) for an illegal address 
in 
the SS segment. 


REAL ADDRESS MODE EXCEPTIONS 


Interrupt 
13 for 
a word 
operand 
at 
offset 


OFFFFH. 


MUL-Unsigned 
Multiplication of AL or AX 


F6 
/4 
F7 
/4 


13,mem=16 
21,mem=24 
Unsigned multiply (AX = AL X EA byte) 
Unsigned multiply (DXAX = AX X EA word) 


MUL eb 
MUL ew 


FLAGS MODIFIED 


Overflow, 
carry 


FLAGS UNDEFINED 


Sign, zero, auxiliary 
carry, 
parity 


OPERATION 


If MUL 
has a byte operand, 
then the byte is 


multiplied 
by AL, and the result is left in AX. 


Carry 
and overflow 
are set to 0 if AH is 0; 


they are set to 1 otherwise. 


If MUL 
has a word operand, 
then the word 


is multiplied 
by AX, and the result 
is left in 


DX:AX. 
DX contains 
the high order 
16 bits 
of the product. 
Carry 
and overflow are set to 
o if DX is 0; they are set to 1 otherwise. 


PROTECTED 
MODE EXCEPTIONS 


#GP(O) for an illegal memory 
operand 
effec- 


tive address 
in the CS, DS, or ES segments; 


#SS(O) 
for 
an 
illegal 
address 
in the 
SS 


segment. 


REAL ADDRESS MODE EXCEPTIONS 


Interrupt 
13 for 
a word 
operand 
at offset 


OFFFFH. 


NEG-Two's 
ComplementNegation 


F6 
/3 


F7 
/3 


NEG 
eb 
NEG ew 
2,mem=7 
2,mem=7 
Two's complement negate EA byte 
Two's complement negate EA word 


FLAGS MODIFIED 


Overflow, 
sign, zero, auxiliary 
carry, 
parity, 


carry 


FLAGS UNDEFINED 


None 


OPERATION 


The 
two's 
complement 
of the 
register 
or 
memory 
operand 
replaces 
the 
old 
operand 


value. 
Likewise, 
the 
operand 
is subtracted 
from 
zero, 
and 
the 
result 
is placed 
in the 
operand. 


The carry 
flag is set to I except 
when 
the 


input operand 
is zero, in which case the carry 


flag is cleared 
to O. 


PROTECTED 
MODE EXCEPTIONS 


#GP(O) 
if the 
result 
is in a non-writable 


segment. 
#GP(O) 
for 
an 
illegal 
memory 


operand 
effective 
address 
in the CS, DS, or 


ES segments; 
#SS(O) for an illegal address 
in 


the SS segment. 


REAL ADDRESS MODE EXCEPTIONS 


Interrupt 
13 for 
a word 
operand 
at 
offset 


OFFFFH. 


FLAGS MODIFIED 
None 


filler instruction 
that takes up space but 
affects none of the machine context except IP. 


FLAGS UNDEFINED 
None 


PROTECTED 
MODE EXCEPTIONS 
None 


OPERATION 
Performs no operation. NOP is a one-byte 


REAL ADDRESS MODE EXCEPTIONS 
None 


NOT-One's 
Complement Negation 


F6 
/2 
F7 
/2 


NOT 
eb 
NOT 
ew 
2,mem=7 
2,mem=7 
Reverse each bit of EA byte 
Reverse each bit of EA word 


FLAGS MODIFIED 


None 


FLAGS UNDEFINED 


None 


PROTECTED 
MODE EXCEPTIONS 


#GP(O) 
if the 
result 
is in a non-writable 


segment. 
#GP(O) 
for 
an 
illegal 
memory 


operand 
effective 
address 
in the CS, DS, or 


ES segments; 
#SS(O) for an illegal address 
in 


the SS segment. 


OPERATION 


The 
operand 
is inverted; 
that 
is, every 


becomes a 0 and vice versa. 


REAL ADDRESS MODE EXCEPTIONS 


Interrupt 
13 for 
a word 
operand 
at 
offset 


OFFFFH. 


OR- 
Logical Inclusive OR 


Opcode 
Instruction 
Clocks 


08 
If 
OR eb,fb 
2,mem=7 
09 
If 
OR ew,rw 
2,mem=7 
OA 
If 
OR fb,eb 
2,mem=7 
DB 
If 
OR rw,ew 
2,mem=7 
DC 
db 
OR AL,db 
3 
00 
dw 
OR AX,dw 
3 
80 
11 
db 
OR eb,db 
3,mem=7 
81 
11 
dw 
OR eW,dw 
- 
3,mem=7 


Logical-OR byte register into EA byte 
Logical-OR word register into EA word 
Logical-OR EA byte into byte register 
Logical-OR EA word into word register 
Logical-OR immediate byte into AL 
Logical-OR immediate word into AX 
Logical-OR immediate byte into EA byte 
Logical-OR immediate word into EA word 


FLAGS MODIFIED 


Overtlow=O, 
sign, zero, parity, 
carry=O 


FLAGS UNDEFINED 


Auxiliary 
carry 


OPERATION 


This instruction 
computes 
the inclusive OR of 


the two operands. 
Each bit of the result 
is 0 


if both corresponding 
bits of the operands 
are 


0; each bit is 1 otherwise. 
The result is placed 


in the first operand. 


PROTECTED 
MODE EXCEPTIONS 


#GP(O) 
if the 
result 
is in a non-writable 
segment. 
#GP(O) 
for 
an 
illegal 
memory 


operand 
effective 
address 
in the CS, DS, or 
ES segments; 
#SS(O) for an illegal address 
in 
the SS segment. 


REAL ADDRESS MODE EXCEPTIONS 


Interrupt 
13 for 
a word 
operand 
at 
offset 


OFFFFH. 


OUT -Output 
to Port 


Opcode 
Instruction 
Clocks 


E6 
db 
OUT db,AL 
3 
E7 
db 
OUT db,AX 
3 
EE 
OUT OX,AL 
3 
EF 
OUT OX,AX 
3 


Output byte AL to immediate port number db 
Output word AX to immediate port number db 
Output byte AL to port number OX 
Output word AX to port number OX 


FLAGS MODIFIED 
None 


the DX register then using an OUT instruc- 
tion with DX as the first operand. 
If the 
instruction contains an 8-bit port ID, that 
value is zero-extended to 16 bits. 
FLAGS UNDEFINED 
None 


OPERATION 
OUT transfers a data byte or data word from 
the register (AL or AX) given as the second 
operand to the output port numbered by the 
first operand. You can output to any port 
from 0-65535 by placing the port number in 


PROTECTED 
MODE EXCEPTIONS 
#GP(O) if the current privilege level is bigger 
(has less privilege) than IOPL, which is the 
privilege level found in the flags register. 


REAL ADDRESS MODE EXCEPTIONS 
None 


OUTS OX,eb 
OUTS OX,ew 
OUTSB 
OUTSW 


Output byte [SI] to port number OX 
Output word [SI] to port number OX 
Output byte OS:[SI] to port number OX 
Output word OS:[SI] to port number OX 


FLAGS MODIFIED 


None 


FLAGS UNDEFINED 


None 


OPERATION 


OUTS 
transfers 
data from the memory 
byte 
or word at SI to the output 
port numbered 
by 
the DX register. 


OUTS 
does not allow the specification 
of the 
port number 
as an immediate 
value. The port 
must be addressed 
through 
the DX register. 


After 
the transfer 
is made, 
SI is automati- 
cally advanced. 
If the direction 
flag is 0 (CLD 
was executed), 
SI increments; 
if the direction 
flag is 1 (STD was executed), 
SI decrements. 


SI increments 
or decrements 
by 1 if a byte 
was moved; by 2 if a word was moved. 


OUTS can be preceded 
by the REP prefix for 
block output 
of CX bytes or words. Refer 
to 
the 
REP 
instruction 
for 
details 
of 
this 
operation. 


Not all output devices can handle the rate 
at which this instruction 
transfers 
data. 


PROTECTED 
MDOE EXCEPTIONS 
#GP(O) 
if CPL 
:> IOPL. 
#GP(O) 
for 
an 
illegal memory 
operand 
effective 
address 
in 
the CS, DS, or ES segments; 
#SS(O) for an 
illegal address 
in the SS segment. 


REAL ADDRESS MODE EXCEPTIONS 


Interrupt 
13 for 
a word 
operand 
at 
offset 
OFFFFH. 


Opcode 
Instruction 
Clocks 


1F 
POP OS 
5,pm=20 


07 
POP ES 
5,pm=20 


17 
POP SS 
5,pm=20 


8F 
/0 
POP mw 
5 


58+ 
rw 
POP rw 
5 


Pop top of stack into OS 
Pop top of stack into ES 
Pop top of stack into SS 
Pop top of stack into memory word 
Pop top of stack into word register 


FLAGS MODIFIED 
None 


FLAGS UNDEFINED 
None 


OPERATION 
The word on the-top of the iAPX 286 stack, 
addressed by SS:SP, replaces the previous 
contents of the memory, register, or segment 
register 
operand. 
The stack pointer 
SP is 


incremented by 2 to point to the new top of 
stack. 


If the destination operand is another segment 
register (DS, ES, or SS), the value popped 
must be a selector. In protected mode, loading 
the selector initiates automatic loading of the 
descriptor information associated with that 
selector into the hidden part of the segment 


register; loading also inItIates validation of 
both 
the 
selector 
and 
the 
descriptor 


information. 


A null value (0000-0003) may be loaded into 
the DS or ES register 
without 
causing 
a 


protection exception. Attempts to reference 
memory using a segment register with a null 
value 
will cause 
#GP(O) 
exception. 
No 


memory reference will occur. The saved value 
of the segment register will be null. 


A POP SS instruction will inhibit all inter- 
rupts until after the execution of the next 
instruction. 


Following is a listing of the protected-mode 
checks and actions taken in the loading of a 
segment register: 


If SS is loaded: 
If selector is null then #GP(O) 
Selector index must be within its descriptor table limits else #GP (selector) 
Selector's RPL must equal CPL else #GP (selector) 
AR byte must indicate a writable data segment else #GP (selector) 
OPL in the AR byte must equal CPL else #GP (selector) 
Segment must be marked PRESENT else #SS (selector) 
Load SS register with selector 
Load SS cache with descriptor 


If ES or OS is loaded with non-null selector: 
AR byte must indicate data or readable code segment else #GP (selector) 
If data or non-conforming code, then both the RPL and the 


CPL must be less than or equal to OPL in AR byte else #GP (selector) 
Segment must be marked PRESENT else #NP (selector) 
Load segment register with selector 
Load segment register cache with descriptor 
If ES or OS is loaded with a null selector: 
Load segment register with selector 
Clear valid bit in cache 


PROTECTED 
MODE EXCEPTIONS 


If a segment 
register 
is being 
loaded, 
#GP, 
#SS, 
and 
#NP, 
as described 
in the 
listing 


above. 


Otherwise, 
#SS(O) if the current 
top of stack 
is not within the stack segment. 


#GP(O) if the destination 
is in a non-writable 
segment. 
#GP(O) 
for 
an 
illegal 
memory 
operand 
effective 
address 
in the CS, DS, or 
ES segments; 
#SS(O) for an illegal address 
in 
the SS segment. 


REAL ADDRESS MODE EXCEPTIONS 


Interrupt 
13 for 
a word 
operand 
at offset 
OFFFFH. 


POPA - 
Pop All General Registers 


FLAGS MODIFIED 
None 


the general registers to their values before 
PUSHA 
was executed. 
The first register 


popped is DI. 


FLAGS UNDEFINED 
None 
PROTECTED 
MODE EXCEPTIONS 
#SS(0) if the starting or ending stack address 
is not within the stack segment. 
OPERATION 
POP A pops the eight general registers given 
in the description above, except that the SP 
value is discarded instead of loaded into SP. 
POPA reverses a previous PUSHA, restoring 


REAL ADDRESS MODE EXCEPTIONS 
Interrupt 
13 for a word operand at offset 


OFFFFH. 


POPF-Pop 
from Stack into the Flags Register 


FLAGS MODIFIED 
Entire flags register is popped from stack 


FLAGS UNDEFINED 
None 


OPERATION 
The top of the iAPX 286 stack, pointed to by 
SS:SP, is copied into the iAPX 286 flags 
register. The stack pointer SP is incremented 
by 2 to point to the new top of stack. The 
flags, from the top bit (bit 15) to the bottom 
(bit 0), are as follows: undefined, nested task, 
I/O privilege level (2 bits), overflow, direc- 
tion, interrupts 
enabled, 
trap, 
sign, zero, 
undefined, auxiliary carry, undefined, parity, 
undefined, and carry. 


The I/O privilege level will be altered only 
when executing at privilege level O.The inter- 
rupt enable flag will be altered only when 
executing at a level at least as privileged as 
the I/O privilege level. (Real Address mode 
is equivalent 
to privilege 
level 0.) If you 


execute a POPF instruction with insufficient 
privilege, 
there 
will be no exception; 
the 


privileged bits will not change. 


PROTECTED 
MODE EXCEPTIONS 
#SS(O) if the top of stack is not within the 
stack segment. 


REAL ADDRESS MODE EXCEPTIONS 
Interrupt 13 for a word operand at OFFFFH. 


Opcode 
Instruction 
Clocks 


06 
PUSH ES 
3 


OE 
PUSH CS 
3 


16 
PUSH SS 
3 


1E 
PUSH OS 
3 


50+ 
rw 
PUSH rw 
3 


FF 
/6 
PUSH mw 
5 


68 
dw 
PUSH dw 
3 


6A 
db 
PUSH db 
3 


FLAGS MODIFIED 


None 


FLAGS UNDEFINED 


None 


OPERATION 


The stack pointer SP is decremented 
by 2, and 


the operand 
is placed on the new top of stack, 
which is pointed to by SS:SP. 


The iAPX 
286 PUSH 
SP instruction 
pushes 
the 
value 
of SP 
as it existed 
before 
the 
instruction. 
This differs 
from 
the iAPX 
86, 


Push ES 
Push CS 
Push SS 
Push OS 
Push word register 
Push memory word 
Push immediate word 
Push immediate sign-extended byte 


which 
pushes 
the 
new (decremented 
by 2) 
value. 


PROTECTED 
MODE EXCEPTIONS 


#SS(O) if the new value of SP is outside 
the 
stack segment 
limit. 


#GP(O) for an illegal memory 
operand 
effec- 


tive address 
in the CS, DS, or ES segments; 
#SS(O) 
for 
an 
illegal 
address 
in the 
SS 


segment. 


REAL ADDRESS MODE EXCEPTIONS 


Interrupt 
13 for 
a word 
operand 
at offset 


OFFFFH. 


PUSHA - 
Push All General Registers 


FLAGS MODIFIED 
None 


in the order in which they were given, they 
will appear in the 16 new stack bytes in the 
reverse order. The last register pushed is DI. 


FLAGS UNDEFINED 
None 
PROTECTED 
MODE EXCEPTIONS 
#SS(O) if the starting or ending address is 
outside the stack segment limit. 
OPERATION 
PUSHA saves the registers noted above on the 
iAPX 286 stack. The stack pointer SP is 
decremented by 16 to hold the 8 word values. 
Since the registers are pushed onto the stack 


REAL ADDRESS MODE EXCEPTIONS 
Interrupt 
13 for a word operand at offset 


OFFFFH. 


PUSHF - 
Push Flags Register onto the Stack 


FLAGS MODIFIED 


None 


nested 
task, 
I/O 
privilege 
level 
(2 bits), 


overflow, 
direction, 
interrupts 
enabled, 
trap, 


sign, 
zero, 
undefined, 
auxiliary 
carry, 


undefined, 
parity, 
undefined, 
and carry. 
FLAGS UNDEFINED 


None 


OPERATION 


The stack pointer SP is decremented 
by 2, and 


the iAPX 
286 flags register 
is copied 
to the 
new top 
of stack, 
which 
is pointed 
to by 
SS:SP. The flags, from the top bit (15) to the 
bottom 
bit 
(0), 
are 
as follows: 
undefined, 


PROTECTED 
MODE EXCEPTIONS 


#SS(O) if the new value of SP is outside 
the 


stack segment 
limit. 


REAL ADDRESS MODE EXCEPTIONS 


Interrupt 
13 for 
a word 
operand 
at offset 


OFFFFH. 


RCLI RCR I ROL I ROR-Rotate 
Instructions 


Opcode 
Instruction 
Clocks-N' 
Description 


DO 
/2 
RCL eb,1 
2,mem=7 
Rotate 9-bits (CF, EA byte) left once 


02 
/2 
RCL eb,CL 
5,mem=8 
Rotate 9-bits (CF, EA byte) left CL times 


CO 
/2 
db 
RCL eb,db 
5,mem=8 
Rotate 9-bits (CF, EA byte) left db times 


01 
/2 
RCL eW,1 
2,mem=7 
Rotate 17-bits (CF, EA word) left once 


03 
/2 
RCL eW,CL 
5,mem=8 
Rotate 17-bits (CF, EA word) left CL times 
C1 
/2 
db 
RCL eW,db 
5,mem=8 
Rotate 17-bits (CF, EA word) left db times 


DO 
/3 
RCR eb,1 
2,mem=7 
Rotate 9-bits (CF, EA byte) right once 


02 
/3 
RCR eb,CL 
5,mem=8 
Rotate 9-bits (CF, EA byte) right CL times 
CO 
/3 
db 
RCR eb,db 
5,mem=8 
Rotate 9-bits (CF, EA byte) right db times 
01 
/3 
RCR eW,1 
2,mem=7 
Rotate 17-bits (CF, EA word) right once 


03 
/3 
RCR eW,CL 
5,mem=8 
Rotate 17-bits (CF, EA word) right CL times 
C1 
/3 
db 
RCR eW,db 
5,mem=8 
Rotate 17-bits (CF, EA word) right db times 


DO 
/0 
ROL eb,1 
2,mem=7 
Rotate 8-bit EA byte left once 


02 
/0 
ROL eb,CL 
5,mem=8 
Rotate 8-bit EA byte left CL times 


CO 
/0 
db 
ROL eb,db 
5,mem=8 
Rotate 8-bit EA byte left db times 


01 
/0 
ROL eW,1 
2,mem=7 
Rotate 16-bit EA word left once 


03 
/0 
ROL eW,CL 
5,mem=8 
Rotate 16-bit EA word left CL times 


C1 
/0 
db 
ROL eW,db 
5,mem=8 
Rotate 16-bit EA word left db times 


DO 
/1 
ROR eb,1 
2,mem=7 
Rotate 8-bit EA byte right once 


02 
/1 
ROR eb,CL 
5,mem=8 
Rotate 8-bit EA byte right CL times 


CO 
/1 
db 
ROR eb,db 
5,mem=8 
Rotate 8-bit EA byte right db times 


01 
/1 
ROR eW,1 
2,mem=7 
Rotate 16-bit EA word right once 


03 
/1 
ROR eW,CL 
5,mem=8 
Rotate 16-bit EA word right CL times 


C1 
/1 
db 
ROR eW,db 
5,mem=8 
Rotate 16-bit EA word right db times 


FLAGS MODIFIED 
Overflow (only for single rotates), carry 


FLAGS UNDEFINED 
Overflow for multi-bit rotates 


OPERATION 
Each rotate instruction shifts the bits of the 
register or memory operand given. The left 
rotate instructions shift all of the bits upward, 
except for the top bit, which comes back 
around 
to the bottom. 
The right 
rotate 


instructions 
do the reverse: the bits shift 


downward, with the bottom bit coming around 
to the top. 


For the RCL and RCR instructions, the carry 
flag is part of the rotated quantity. RCL shifts 
the carry flag into the bottom bit and shifts 
the top bit into the carry flag; RCR shifts the 


carry flag into the top bit and shifts the 
bottom bit into the carry flag. For the ROL 
and ROR instructions, the original value of 
the carry flag is not a part of the result; 
nonetheless, the carry flag receives a copy of 
the bit that was shifted from one end to the 
other. 


The rotate is repeated the number of times 
indicated by the second operand, which is 
either an immediate number or the contents 
of the CL register. The iAPX 286 does not 
allow rotation counts greater than 31. If a 
rotation count greater than 31 is attempted, 
only the bottom five bits of the rotation are 
used. The iAPX 86 does not mask rotate 
counts. 


The overflow flag is set only for the single- 
rotate (second operand = 1) forms of the 


Instructions. 
tor 
KCK, the test for overflow 


is made before the rotation; 
for RCL, 
ROL, 


and ROR, 
it is made after 
the rotation. 
The 


test is as follows: if the carry flag equals 
the 


high bit of the operand, 
set the overflow flag 


to 0; if the carry flag does not equal the high 
bit of the operand, 
set the overflow flag to 1. 


PROTECTED 
MODE EXCEPTIONS 


#GP(O) 
if the 
result 
is in a non-writable 


segment. 
#GP(O) 
for 
an 
illegal 
memory 


operand 
effective 
address 
in the CS, DS, or 
ES segments; 
#SS(O) for an illegal address 
in 


the SS segment. 


REAL ADDRESS MODE EXCEPTIONS 


Interrupt 
13 for 
a word 
operand 
at 
offset 
OFFFFH. 


REP IREPE/REPNE-Repeat 
FollowingStringOperation 


Opcode 
Instruction 
Clocks' 
Description 


F3 
6C 
REP INS eb,OX 
5+4*CX 
Input CX bytes from port OX into ES:[OI] 
F3 
60 
REP INS ew,OX 
5+4*CX 
Input CX words from port OX into ES:[OI) 
F3 
6C 
REP INSB 
5+4*CX 
Input CX bytes from port OX into ES:[OI] 
F3 
60 
REP INSW 
5+4*CX 
Input CX words from port OX into ES:[OI] 
F3 
A4 
REP MOVS mb,mb 
5+4*CX 
Move CX bytes from [SI] to ES:[OI] 
F3 
A5 
REP MOVS mW,mw 
5+4*CX 
Move CX words from [SI] to ES:[OI] 
F3 
A4 
REP MOVSB 
5+4*CX 
Move CX bytes from OS:[SI] to ES:[OI] 
F3 
A5 
REP MOVSW 
5+4*CX 
Move CX words from OS:[SI] to ES:[OI) 
F3 
6E 
REP OUTS OX,eb 
5+4*CX 
Output CX bytes from [SI] to port OX 
F3 
6F 
REP OUTS OX,ew 
5+4*CX 
Output CX words from [SI] to port OX 
F3 
6E 
REP OUTSB 
5+4*CX 
Output CX bytes from OS:[SI] to port OX 
F3 
6F 
REP OUTSW 
5+4*CX 
Output CX words from OS:[SI] to port OX 
F3 
AA 
REP STOS mb 
4+3*CX 
Fill CX bytes at ES:[OI] with AL 
F3 
AB 
REP STOS mw 
4+3*CX 
Fill CX words at ES:[OI] with AX 
F3 
AA 
REP STOSB 
4+3*CX 
Fill CX bytes at ES:[OI] with AL 
F3 
AB 
REP STOSW 
4+3*CX 
Fill CX words at ES:[OI] with AX 
F3 
A6 
REPE CMPS mb,mb 
5+9*N 
Find nonmatching bytes in ES:[OI] and [SI) 
F3 
A7 
REPE CMPS mW,mw 
5+9*N 
Find nonmatching words in ES:[OI) and [SI) 
F3 
A6 
REPE CMPSB 
5+9*N 
Find nonmatching bytes in ES:[OI] and OS:(SI) 
F3 
A7 
REPE CMPSW 
5+9*N 
Find nonmatching words in ES:[OI] and OS:[SI) 
F3 
AE 
REPE SCAS mb 
5+S*N 
Find non-AL byte starting at ES:(OI) 
F3 
AF 
REPE SCAS mw 
5+S*N 
Find non-AX word starting at ES:[OI] 
F3 
AE 
REPE SCASB 
5+S*N 
Find non-AL byte starting at ES:(OI] 
F3 
AF 
REPE SCASW 
5+S*N 
Find non-AX word starting at ES:[OI) 
F2 
A6 
REPNE CMPS mb,mb 
5+9*N 
Find matching bytes in ES:[OI] and [SI) 
F2 
A7 
REPNE CMPS mW,mw 
5+9*N 
Find matching words in ES:[OI] and [SI) 
F2 
A6 
REPNE CMPSB 
5+9*N 
Find matching bytes in ES:[OI] and OS:(SI] 
F2 
A7 
REPNE CMPSW 
5+9*N 
Find matching words in ES:[OI] and OS:[SI) 
F2 
AE 
REPNE SCAS mb 
5+S*N 
Find AL, starting at ES:[OI] 
F2 
AF 
REPNE SCAS mw 
5+S*N' 
Find AX, starting at ES:[OI] 
F2 
AE 
REPNE SCASB 
5+S*N 
Find AL, starting at ES:[OI] 
F2 
AF 
REPNE SCASW 
5+S*N 
Find AX, starting at ES:[OI] 


FLAGS MODIFIED 
By CMPS and SCAS, none by REP 
Thus, REPE stands for "Repeat while equal," 
REPNE for "Repeat while not equal." 


FLAGS UNDEFINED 
None 


The REP prefixes make sense only in the 
contexts listed above. They cannot be applied 
to anything other than string operations. 


OPERATION 
REP, REPE, and REPNE are prefix opera- 
tions. These prefixes cause the string instruc- 
tion that follows to be repeated CX times or 
(for REPE and REPNE) until the indicated 
condition in the zero flag is no longer met. 


Synonymous forms of REPE and REPNE are 
REPZ and REPNZ, respectively. 


The REP prefixes apply only to one string 
instruction at a time. To repeat a block of 
instructions, use a LOOP construct. 


The precise action for each iteration is as 
follows: 


1. 
Check the CX register. If it is zero, exit 
the iteration 
and 
move to the 
next 


instruction. 


2. 
Acknowledge any pending interrupts. 


3. 
Perform the string operation once. 


4. 
Decrement 
CX· by 
I; 
no flags 
are 


modified. 


5. 
If the string operation is SCAS or CMPS, 
check the zero flag. If the repeat condi- 
tion does not hold, then exit the iteration 
and move to the next instruction. Exit if 
the prefix is REPE and ZF=O (the last 
comparison 
was not equal), 
or if the 


prefix is REPNE 
and ZF = I (the last 


comparison was equal). 


6. 
Go to step 1 for the next iteration. 


As defined by the individual string-ops, the 
direction of movement through the block is 
determined by the direction flag. If the direc- 
tion flag is 1 (STD was executed), SI and/or 
DI start at the end of the block and move 


backward; if the direction flag is 0 (CLD was 
executed), SI and/or 
DI start at the begin- 


ning of the block and move forward. 


For repeated SCAS and CMPS operations the 
repeat can be exited for one of two different 
reasons: the CX count can be exhausted or 
the zero flag can fail the repeat condition. 
Your code will probably want to distinguish 
between the two cases. It can do so via either 
the JCXZ instruction or the conditional jumps 
that test the zero flag (JZ, JNZ, 
JE, and 


JNE). 


Not all input/output ports can handle the 
rate at which the repeated I/O instruc- 
tions execute. 


PROTECTED 
MODE EXCEPTIONS 
None by REP; exceptions can be generated 
when the string-op is executed. 


REAL ADDRESS MODE EXCEPTIONS 
None by REP; exceptions can be generated 
when the string-op is executed. 


Opcode 
Instruction 
Clocks- 
Description 


CB 
RET 
15,pm=25 
Return to far caller, same privilege 


CB 
RET 
55 
Return, lesser privilege, switch stacks 


C3 
RET 
11 
Return to near caller 


CA 
dw 
RET dw 
15,pm=25 
RET (far), same privilege, pop dw bytes 


CA 
dw 
RET dw 
55 
RET (far), lesser privilege, pop dw bytes 
C2 
dw 
RET dw 
11 
RET (near), pop dw bytes pushed before Call 


FLAGS MODIFIED 
None 


FLAGS UNDEFINED 
None 


OPERATION 
RET transfers control to a return 
address 


located on the stack. The address is usually 
placed on the stack by a CALL instruction; 
in that case, the return is made to the instruc- 
tion that follows the CALL. 


There is an optional numeric parameter 
to 


RET. It gives the number of stack bytes to be 
released after the return address is popped. 
These 
bytes 
are typically 
used as input 


parameters to the procedure called. 


For the intra-segment return, the address on 
the stack is a 2-byte quantity popped into IP. 
The CS register is unchanged. 


For the inter-segment return, the address on 
the stack is a 4-byte-long pointer. The offset 
is popped first, followed by the selector. In 
real address mode, CS and IP are directly 
loaded. 


In protected mode, an inter-segment 
return 


causes the processor to consult the descriptor 
addressed by the return selector. The AR byte 
of the descriptor must indicate a code segment 
of equal or less privilege (of greater or equal 
numeric value) than the current 
privilege 


level. Returns to a lesser privilege level cause 
the stack to be reloaded from the value saved 
beyond the parameter block. 


The DS and ES segment registers may be set 
to zero by the inter-segment RET instruction. 
If these registers refer to segments which 
cannot be used by the new privilege level, they 
are set to zero to prevent unauthorized access. 


The following 
list of checks 
and actions 


describes the protected-mode 
inter-segment 


return in detail. 


Inter-segment RET: 
Second word on stack must be within stack limits else #SS(O) 
Return selector RPL must be ~ CPL else #GP (return selector) 
If return selector RPL = CPL then 


RETURN TO SAME LEVEL: 
Returl1selector must be non-null else #GP(O) 
Selector index must be within its descriptor table limits else #GP (selector) 
Descriptor AR byte must indicate code segment else #GP (selector) 
If non-conforming then code segment DPL must equal CPL else #GP (selector) 
If conforming then code segment DPL must be ::; CPL else #GP (selector) 
Code segment must be PRESENT else #NP (selector) 
Top word on stack must be within stack limits else #SS(O) 
IP must be in code segment limit else #GP(O) 
Load CS:IP from stack 
Load CS-cache with descriptor 
Increment SP by 4 plus the immediate offset if it exists 


Else 
RETURN TO OUTER PRIVILEGE LEVEL: 
Top (8+ immediate) bytes on stack must be within stack limits else #SS(O) 
Examine return CS selector (at SP+2) and associated descriptor: 
Selector must be non-null else #GP(O) 
Selector index must be within its descriptor table limits else #GP (selector) 
Descriptor AR byte must indicate code segment else #GP (selector) 
If non-conforming then code segment DPL must equal return selector RPL else #GP (selector) 
If conforming then code segment DPL must be ::; return selector RPL else #GP (selector) 
Segment must be PRESENT else #NP (selector) 


Examine return SS selector (at SP+6+imm) 
and associated descriptor: 


Selector must be non-null else #GP(O) 
Selector index must be within its descriptor table limits else #GP (selector) 
Selector RPL must equal the RPL of the return CS selector else #GP (selector) 
Descriptor AR byte must indicate a writable data segment else #GP (selector) 
Descriptor DPL must equal the RPL of the return CS selector else #GP (selector) 
Segment must be PRESENT else #NP (selector) 


IP must be in code segment limit else # GP(O) 
Set CPL to the RPL of the return CS selector 
Load CS:IP from stack 
Set CS RPL to CPL 
Increment SP by 4 plus the immediate offset if it exists 
Load SS:SP from stack 
Load the CS-cache with the return CS descriptor 
Load the SS-cache with the return SS descriptor 
For each of ES and DS: 
If the current register setting is not valid for the outer level, set the 


register to null (selector = AR = 0) 


To be valid, the register setting must satisfy the following properties: 


Selector index must be within descriptor table limits 
Descriptor AR byte must indicate data or readable code segment 
If segment is data or non-conforming code, then: 


DPL must be ~ CPL, or 
DPL must be ~ RPL 


PROTECTED 
MODE EXCEPTIONS 


#GP, #NP, or #55, as described 
in the above 


listing. 


REAL ADDRESS MODE EXCEPTIONS 


Interrupt 
13 if the stack 
pop wraps 
around 
from OFFFFH 
to O. 


SAHF-Store 
AH intoFlags 


FLAGS MODIFIED 


Sign, zero, auxiliary 
carry, 
parity, 
carry 
from the AH register, 
from bits 7, 6, 4, 2, and 


0, respectively. 


FLAGS UNDEFINED 


None 


PROTECTED 
MODE EXCEPTIONS 


None 


OPERATION 


The flags listed above are loaded with values 


REAL ADDRESS MODE EXCEPTIONS 


None 


SAL/ SAR / SHL/ SHR -Shift 
Instructions 


Opcode 
Instruction 
Clocks-N' 
Description 


DO 
/4 
SAL eb,1 
2,mem=7 
Multiply EA byte by 2, once 
02 
/4 
SAL eb,CL 
5,mem=8 
Multiply EA byte by 2, CL times 
CO 
/4 
db 
SAL eb,db 
5,mem=8 
MUltiply EA byte by 2, db times 
01 
/4 
SAL eW,1 
2,mem=7 
Multiply EA word by 2, once 
03 
/4 
SAL eW,CL 
5,mem=8 
Multiply EA word by 2, CL times 
C1 
/4 
db 
SAL eW,db 
5,mem=8 
Multiply EA word by 2, db times 
DO 
/7 
SAR eb,1 
2,mem=7 
Signed divide EA byte by 2, once 
02 
/7 
SAR eb,CL 
5,mem=8 
Signed divide EA byte by 2, CL times 
CO 
/7 
db 
SAR eb,db 
5,mem=8 
Signed divide EA byte by 2, db times 
01 
/7 
SAR eW,1 
2,mem=7 
Signed divide EA word by 2, once 
03 
/7 
SAR eW,CL 
5,mem=8 
Signed divide EA word by 2, CL times 
C1 
/7 
db 
SAR eW,db 
5,mem=8 
Signed divide EA word by 2, db times 
DO 
/5 
SHR eb,1 
2,mem=7 
Unsigned divide EA byte by 2, once 


02 
/5 
SHR eb,CL 
5,mem=8 
Unsigned divide EA byte by 2, CL times 
CO 
/5 
db 
SHR eb,db 
5,mem=8 
Unsigned divide EA byte by 2, db times 
01 
/5 
SHR eW,1 
2,mem=7 
Unsigned divide EA word by 2, once 
03 
/5 
SHR eW,CL 
5,mem=8 
Unsigned divide EA word by 2, CL times 
C1 
/5 
db 
SHR eW,db 
5,mem=8 
Unsigned divide EA word by 2, db times 


FLAGS MODIFIED 
Overflow (only for single-shift form), carry, 
zero, overflow, parity, sign 


FLAGS UNDEFINED 
Auxiliary carry 


OPERATION 
SAL (or its synonym SHL) shifts the bits of 
the operand upward. The high-order bit is 
shifted into the carry flag, and the low-order 
bit is set to O. 


SAR and SHR shift the bits of the operand 
downward. The low-order bit is shifted into 
the carry flag. The effect is to divide the 
operand by 2. SAR performs a signed divide: 
the high-order bit remains the same. SHR 
performs an unsigned divide: the high-order 
bit is set to O. 


The shift is repeated the number of times 
indicated by the second operand, which is 
either an immediate number or the contents 
of the CL register. The iAPX 286 does not 


allow shift counts greater than 31. If a shift 
count greater than 31 is attempted, only the 
bottom five bits of the shift count are used. 
The iAPX 86 uses all 8 bits of the shift count. 


The overflow flag is set only if the single-shift 
forms of the instructions are used. For left 
shifts, it is set to 0 if the high bit of the answer 
is the same as the result carry flag (i.e., the 
top two bits of the original operand were the 
same); it is set to 1 if they are different. For 
SAR it is set to 0 for all single shifts. For 
SHR, it is set to the high-order bit of the 
original operand. 


PROTECTED 
MODE EXCEPTIONS 
#GP(O) if the operand is in a non-writable 
segment. 
#GP(O) for an illegal 
memory 


operand effective address in the CS, DS, or 
ES segments; #SS(O) for an illegal address in 
the SS segment. 


REAL ADDRESS MODE EXCEPTIONS 
Interrupt 
13 for a word operand at offset 
OFFFFH. 


SBB-Integer 
Subtraction With Borrow 


Opcode 
Instruction 
Clocks 


18 
If 
SBB eb,fb 
2,mem=7 


19 
If 
SBB ew,rw 
2,mem=7 


1A 
If 
SBB fb,eb 
2,mem=7 


1B 
If 
SBB rw,ew 
2,mem=7 


1C 
db 
SBB AL,db 
3 


10 
dw 
SBB AX,dw 
3 


80 
13 
db 
SBB eb,db 
3,mem=7 


81 
13 
dw 
SBB eW,dw 
3,mem=7 


83 
13 
db 
SBB ew,db 
3,mem=7 


Subtract with borrow byte register from EA 
byte 
Subtract with borrow word register from EA 
word 
Subtract with borrow EA byte from byte 
register 
Subtract 
with borrow 
EA word from word 


register 
Subtract with borrow imm. byte from AL 
Subtract with borrow imm. word from AX 
Subtract with borrow imm. byte from EA byte 
Subtract with borrow imm. word from EA word 
Subtract with borrow imm. byte from EA word 


FLAGS MODIFIED 


Overflow, 
sign, zero, auxiliary 
carry, 
parity, 
carry 


FLAGS UNDEFINED 


None 


OPERATION 


The second operand 
is added to the carry flag 


and 
the 
result 
is subtracted 
from 
the 
first 


operand. 
The first 
operand 
is replaced 
with 


the result of the subtraction, 
and the flags are 


set accordingly. 


When 
a byte-immediate 
value 
is subtracted 


from a word operand, 
the immediate 
value is 


first sign-extended. 


PROTECTED 
MODE EXCEPTIONS 


#GP(O) 
if the 
result 
is in a non-writable 


segment. 
#GP(O) 
for 
an 
illegal 
memory 


operand 
effective 
address 
in the CS, DS, or 


ES segments; 
#SS(O) for an illegal address 
in 


the SS segment. 


REAL ADDRESS MODE EXCEPTIONS 


Interrupt 
13 for 
a word 
operand 
at offset 


OFFFFH. 


SCAS 
mb 
SCAS 
mw 
SCASB 
SCASW 


Compare 
bytes AL - ES:[OI], 
advance 
01 


Compare 
words 
AX - ES:[OI]. 
advance 
01 


Compare 
bytes AL - ES:[OI], 
advance 
01 


Compare 
words 
AX - ES:[OI], 
advance 
01 


FLAGS MODIFIED 


Overflow, 
sign, zero, auxiliary 
carry, 
parity, 
carry 


FLAGS UNDEFINED 


None 


OPERATION 


SCAS 
subtracts 
the memory 
byte or word at 


ES:DI from the AL or AX register. The result 
is discarded; 
only 
the 
flags 
are 
set. 
The 


operand 
must 
be addressable 
from 
the 
ES 


register; 
no segment 
override 
is possible. 


After the comparison 
is made, DI is automat- 


ically 
advanced. 
If the 
direction 
flag 
is 0 


(CLD 
was executed), 
DI increments; 
if the 


direction 
flag is I (STD 
was executed), 
DI 


decrements. 
DI increments 
or decrements 
by 


I if bytes were compared; 
by 2 if words were 


compared. 


SCAS 
can 
be preceded 
by the 
REPE 
or 


REPNE 
prefix for a block search of CX bytes 


or words. 
Refer 
to the REP 
instruction 
for 


details of this operation. 


PROTECTED 
MODE EXCEPTIONS 


#GP(O) for an illegal memory 
operand 
effec- 


tive address 
in the CS, DS, or ES segments; 


#SS(O) 
for 
an 
illegal 
address 
in the 
SS 


segment. 


REAL ADDRESS MODE EXCEPTIONS 


Interrupt 
13 for 
a word 
operand 
at offset 


OFFFFH. 


SGDT/SIDT -Store 
Global/Interrupt Descriptor Table 
Register 


OF 
01 
/0 
OF 
01 
/1 


SGDT m 
SlOT m 


FLAGS MODIFIED 
None 


FLAGS UNDEFINED 
None 


OPERATION 
The contents of the descriptor table register 
are copied to six bytes of memory indicated 
by the operand. 
The LIMIT 
field of the 


register goes to the first word at the effective 
address; the next three bytes get the BASE 
field of the register; 
and the last byte is 


undefined. 


SGDT and SIDT appear only in operating 
systems software; they are not used in appli- 
cations programs. 


Store Global Descriptor Table register to m 
Store Interrupt Descriptor Table register to m 


PROTECTED 
MODE EXCEPTIONS 
#UD if the destination operand is a register. 
#GP(O}if the destination is in a non-writable 
segment. 
#GP(O} for an illegal 
memory 


operand effective address in the CS, DS, or 
ES segments; #SS(O} for an illegal address in 
the SS segment. 


REAL ADDRESS MODE EXCEPTIONS 
These instructions are valid in Real Address 
mode to facilitate power-up or to reset initial- 
ization prior to entering Protected mode. 


#UD if the destination operand is a register. 
Interrupt 
13 for a word operand at offset 


OFFFFH. 


SLOT -Store 
Local Descriptor Table Register 


Store Local Descriptor Table register to EA 
word 


FLAGS MODIFIED 
None 


SLDT appears 
only in operating 
systems 
software. 
It is not used 
in applications 
programs. 


FLAGS UNDEFINED 
None 


PROTECTED 
MODE EXCEPTIONS 
#GP(O) if the destination is in a non-writable 
segment. 
#GP(O) for an illegal 
memory 


operand effective address in the CS, DS, or 
ES segments; #SS(O) for an illegal address in 
the SS segment. 


OPERATION 
The Local Descriptor Table register is stored 
in the 2-byte register or memory location 
indicated by the effective address operand. 
This register is a selector that points into the 
Global Descriptor Table. 


REAL ADDRESS MODE EXCEPTIONS 
Interrupt 6; SLDT is not recognized in Real 
Address mode. 


SMSW -Store 
MachineStatus Word 


FLAGS MODIFIED 


None 


FLAGS UNDEFINED 


None 


PROTECTED 
MODE EXCEPTIONS 


#GP(O) if the destination 
is in a non-writable 
segment. 
#GP(O) 
for 
an 
illegal 
memory 


operand 
effective 
address 
in the CS, DS, or 
ES segments; 
#SS(O) for an illegal address 
in 


the SS segment. 


OPERATION 


The Machine 
Status 
Word 
is stored 
in the 


2-byte register 
or memory 
location 
indicated 


by the effective 
address 
operand. 


REAL ADDRESS MODE EXCEPTIONS 


Interrupt 
13 for 
a word 
operand 
at offset 
OFFFFH. 


STC-Set Carry Flag 


FLAGS MODIFIED 
Carry = 1 


FLAGS UNDEFINED 
None 


OPERATION 
The carry flag is set to 1. 


PROTECTED 
MODE EXCEPTIONS 
None 


REAL ADDRESS MODE EXCEPTIONS 
None 


STD-Set 
DirectionFlag 


FLAGS MODIFIED 
Direction = 1 
index registers (SI and/or DI) on which they 
operate. 


FLAGS UNDEFINED 
None 


PROTECTED 
MODE EXCEPTIONS 
None 


OPERATION 
The direction flag is set to 1. This causes all 
subsequent string operations to decrement the 


REAL ADDRESS MODE EXCEPTIONS 
None 


STI-Set 
InterruptEnableFlag 


FLAGS MODIFIED 


Interrupt 
= I 


iAPX 286 will now respond 
to external 
inter- 
rupts after executing 
the next instruction. 


FLAGS UNDEFINED 


None 


PROTECTED 
MODE EXCEPTIONS 


#GP(O) if the current 
privilege 
level is bigger 
(has 
less privilege) 
than 
the 
I/O 
privilege 
level. 


OPERATION 


The interrupts-enabled 
flag is set to I. The 


REAL ADDRESS MODE EXCEPTIONS 


None 


STOS/STOSB/STOSW-Store 
String Data 


Opcode 
Instruction 
Clocks 


AA 
STOS 
mb 
3 
AS 
STOS 
mw 
3 
AA 
STOSS 
3 
AS 
STOSW 
, 
3 


Store AL to byte ES:[OI), advance 
01 
Store AX to word 
ES:[OI), advance 
01 
Store AL to byte ES:[OI), advance 
01 
Store AX to word 
ES:[OI), advance 
01 


FLAGS MODIFIED 


None 


FLAGS UNDEFINED 


None 


OPERATION 


STOS 
transfers 
the contents 
the AL or AX 


register to the memory byte or word at ES:DI. 
The operand must be addressable 
from the ES 


register; 
no segment 
override 
is possible. 


After 
the transfer 
is made, 
DI is automati- 


cally advanced. 
If the direction 
flag is 0 (CLD 


was executed), 
DI increments; 
if the direction 


flag is 1 (STD was executed), 
DI decrements. 


DI increments 
or decrements 
by 1 if a byte 
was moved; by 2 if a word was moved. 


STOS can be preceded 
by the REP prefix for 
a block fill of CX bytes or words. Refer to the 
REP instruction 
for details 
of this operation. 


PROTECTED 
MODE EXCEPTIONS 


#GP(O) if the destination 
is in a non-writable 
segment. 
#GP(O) 
for 
an 
illegal 
memory 


operand 
effective 
address 
in the CS, DS, or 
ES segments; 
#SS(O) for an illegal address 
in 
the SS segment. 


REAL ADDRESS MODE EXCEPTIONS 


Interrupt 
13 for 
a word 
operand 
at 
offset 
OFFFFH. 


STR-Store 
Task Register 


FLAGS MODIFIED 
None 


FLAGS UNDEFINED 
None 


OPERATION 
The contents of the Task Register are copied 
to the 2-byte register or memory location 
indicated by the effective address operand. 


PROTECTED 
MODE EXCEPTIONS 
#GP(O) if the destination is in a non-writable 
segment. 
#GP(O) 
for an illegal 
memory 


operand effective address in the CS, DS, or 
ES segments; #SS(O) for an illegal address in 
the SS segment. 


REAL ADDRESS MODE EXCEPTIONS 
Interrupt 6; STR is not recognized in Real 
Address mode. 


SUB-Integer 
Subtraction 


Opcode 
Instruction 
Clocks 


28 
/r 
SUB eb,rb 
2,mem=7 
29 
/r 
SUB ew,rw 
2,mem=7 
2A 
/r 
SUB rb,eb 
2,mem=7 


2B 
/r 
SUB rw,ew 
2,mem=7 


2C 
db 
SUB AL,db 
3 


20 
dw 
SUB AX,dw 
3 


80 
/5 
db 
SUB eb,db 
3,mem=7 


81 
/5 
dw 
SUB eW,dw 
3,mem=7 
83 
/5 
db 
SUB eW,db 
3,mem=7 


Subtract byte register from EA byte 
Subtract word register from EA word 
Subtract EA byte from byte register 
Subtract EA word from word register 
Subtract immediate byte from AL 
Subtract immediate word from AX 
Subtract immediate byte from EA byte 
Subtract immediate word from EA word 
Subtract immediate byte from EA word 


FLAGS MODIFIED 


Overflow, 
sign, zero, auxiliary 
carry, 
parity, 


carry 


FLAGS UNDEFINED 


None 


OPERATION 


The second 
operand 
is subtracted 
from 
the 


first operand, 
and the first operand 
is replaced 


with the result. 


When 
a byte-immediate 
value 
is subtracted 
from a word operand, 
the immediate 
value is 
first sign-extended. 


PROTECTED 
MODE EXCEPTIONS 


#GP(O) 
if the 
result 
is in a non-writable 
segment. 
#GP(O) 
for 
an 
illegal 
memory 


operand 
effective 
address 
in the CS, DS, or 
ES segments; 
#SS(O) for an illegal address 
in 
the SS segment. 


REAL ADDRESS MODE EXCEPTIONS 


Interrupt 
13 for 
a word 
operand 
at 
offset 


OFFFFH. 


WAIT -Wait 
Until BUSY Pin Is Inactive (HIGH) 


FLAGS MODIFIED 


None 


to ensure 
that 
the numeric 
instruction 
being 


executed 
is complete, 
and 
to check 
for 
a 


possible numeric 
fault (see below). 


FLAGS UNDEFINED 


None 
PROTECTED 
MODE EXCEPTIONS 


#NM if task switch flag in MSW 
is set. #MF 


is 80287 has detected 
an unmasked 
numeric 


error. 


OPERATION 


WAIT 
suspends 
execution 
of 80286 
instruc- 


tions until the BUSY 
pin is inactive 
(high). 


The 
BUSY 
pin 
is driven 
by 
the 
80287 
numeric 
processor 
extension. 
WAIT 
is issued 


REAL ADDRESS MODE EXCEPTIONS 


Same as Protected 
mode. 


VERR, VERW -Verify 
a Segment for Reading or Writing 


OF 
00 
/4 
OF 
00 
/5 
VERR 
ew 
VERWew 
14,mem=16 
14,mem=16 


FLAGS MODIFIED 
Zero 


FLAGS UNDEFINED 
None 


OPERATION 
VERR and VER W expect the 2-byte register. 
or memory operand to contain the value of a 
selector. The instructions determine whether 
the segment denoted by the selector is reach- 
able from the current 
privilege 
level; the 
instructions 
also determine 
whether 
it is 
readable or writable. If the segment is deter- 
mined to be accessible, the zero flag is set to 
1; if the segment is not accessible, it is set to 
O. To set ZF, the following conditions must 
be met: 


1. 
The selector must denote a descriptor 
within the bounds of the table (GOT or 
LOT); 
that 
is, the selector 
must 
be 


"defined. " 


2. 
The selector must denote the descriptor 
of a code or data segment. 


3. 
If the instruction is VERR, the segment 
must be readable. If the instruction 
is 


VERW, the segment must be a writable 
data segment. 


Set ZF=1 if seg. can be read, selector ew 
Set ZF= 1 if seg. can be written, selector ew 


4. 
If the code segment 
is readable 
and 
conforming, the descriptor privilege level 
(OPL) 
can be any value for VERR. 


Otherwise, the OPL must be greater than 
or equal to (have less or the same privi- 
lege as) both the current privilege level 
and the selector's RPL. 


The validation performed is the same as if the 
segment were loaded into OS or ES and the 
indicated 
access 
(read 
or 
write) 
were 
performed. The zero flag receives the result 
of the validation. The selector's value cannot 
result in a protection exception. This enables 
the software to anticipate possible segment 
access problems. 


PROTECTED 
MODE EXCEPTIONS 
The only faults 
that 
can occur are those 
generated by illegally addressing the memory 
operand 
which contains 
the selector. 
The 
selector is not loaded into any segment regis- 
ter, and no faults attributable to the selector 
operand are generated. 


#GP(O) for an illegal memory operand effec- 
tive address in the CS, OS, or ES segments; 
#SS( 0) for an illegal 
address 
in the SS 
segment. 


REAL ADDRESS MODE EXCEPTIONS 
Interrupt 
6; VERR 
and VER Ware 
not 


recognized in Real Address Mode. 


TEST -Logical 
Compare 


84 
/r 
84 
/r 
85 
/r 
85 
/r 
A8 
db 
A9 
dw 
F6 
/0 
db 
F7 
/0 
dw 


AND byte register into EA byte for flags only 
AND EA byte into byte register for flags only 
AND word register into EA word for flags only 
AND EA word into word register for flags only 
AND immediate byte into AL for flags only 
AND immediate word into AX for flags only 
AND immediate byte into EA byte for flags only 
AND immediate word into EA word for flags 
only 


TEST 
eb,rb 
TEST 
rb,eb 
TEST 
ew,rw 
TEST 
rw,ew 
TEST 
AL,db 
TEST 
AX,dw 
TEST 
eb,db 
TEST 
eW,dw 


2,mem=6 
2,mem=6 
2,mem=6 
2,mem=6 
3 
3 
3,mem=6 
3,mem=6 


FLAGS MODIFIED 


Overflow=O, 
sign, zero, parity, 
carry=O 


FLAGS UNDEFINED 


Auxiliary 
carry 


OPERATION 


TEST 
computes 
the bit-wise 
logical AND 
of 


the two operands 
given. Each bit of the result 


is I if both of the corresponding 
bits of the 


operands 
are 
I; each bit is 0 otherwise. 
The 


result of the operation 
is discarded; 
only the 


flags are modified. 


PROTECTED 
MODE EXCEPTIONS 


#GP(O) for an illegal memory 
operand 
effec- 


tive address 
in the CS, DS, or ES segments; 
#SS(O) 
for 
an 
illegal 
address 
in the 
SS 


segment. 


REAL ADDRESS MODE EXCEPTIONS 


Interrupt 
13 for 
a word 
operand 
at offset 


OFFFFH. 


XCHG - 
Exchange Memory / Register with Register 


Opcode 
Instruction 
Clocks 


86 
Ir 
XCHG 
eb,rb 
3,mem=5 
86 
Ir 
XCHG 
rb,eb 
3,mem=5 
87 
Ir 
XCHG 
ew,rw 
3,mem=5 
87 
Ir 
XCHG 
rw,ew 
3,mem=5 
90+ 
rw 
XCHG AX,rw 
3 
90+ 
rw 
XCHG 
rw,AX 
3 


Exchange byte register with EA byte 
Exchange EA byte with byte register 
Exchange word register with EA word 
Exchange EA word with word register 
Exchange word register with AX 
Exchange with word register 


FLAGS MODIFIED 


None 


FLAGS UNDEFINED 


None 


OPERATION 


The two operands 
are exchanged. 
The order 


of the operands 
is immaterial. 
BUS LOCK 
is 


asserted 
for the 
duration 
of the 
exchange, 
regardless 
of the presence 
or absence 
of the 


LOCK 
prefix or IOPL. 


PROTECTED 
MODE EXCEPTIONS 


#GP(O) if either operand 
is in a non-writable 
segment. 
#GP(O) 
for 
an 
illegal 
memory 


operand 
effective 
address 
in the CS, DS, or 
ES segments; 
#SS(O) for an illegal address 
in 
the SS segment. 


REAL ADDRESS MODE EXCEPTIONS 


Interrupt 
13 for 
a word 
operand 
at 
offset 


OFFFFH. 


XLA T -Table 
Look-up Translation 


Set AL to memory byte DS:[BX + unsigned 
ALl 
Set AL to memory byte DS:[BX + unsigned 
ALl 


FLAGS MODIFIED 
None 


PROTECTED 
MODE EXCEPTIONS 
#GP(O) for an illegal memory operand effec- 
tive address in the CS, DS, or ES segments; 
#SS(O) for an illegal 
address 
in the SS 
segment. 


FLAGS UNDEFINED 
None 


OPERATION 
When XLA T is executed, AL should be the 
unsigned 
index into a table addressed 
by 
DS:BX. XLA T changes the AL register from 
the table index into the table entry. BX is 
unchanged. 


REAL ADDRESS MODE EXCEPTIONS 
Interrupt 
13 for a word operand at offset 


OFFFFH. 


X OR - 
Logical Exclusive OR 


Opcode 
Instruction 
Clocks 


30 
If 
XOR eb,fb 
2,mem=7 
31 
If 
XOR ew,rw 
2,mem=7 
32 
If 
XOR fb,eb 
2,mem=7 
33 
If 
XOR rw,ew 
2,mem=7 
34 
db 
XOR AL,db 
3 
35 
dw 
XOR AX,dw 
3 
80 
16 
db 
XOR eb.db 
3.mem=7 
81 
16 
dw 
XOR eW,dw 
3,mem=7 


Exclusive-OR byte register into EA byte 
Exclusive-OR word register into EA word 
Exclusive-OR EA byte into byte register 
Exclusive-OR EA word into word register 
Exclusive-OR immediate byte into AL 
Exclusive-OR immediate word into AX 
Exclusive-OR immediate byte into EA byte 
Exclusive-OR immediate word into EA word 


FLAGS MODIFIED 


Overflow=O, 
sign, zero, parity, 
carry=O 


FLAGS UNDEFINED 


Auxiliary 
carry 


OPERATION 


XOR 
computes 
the exclusive 
OR of the two 
operands. 
Each 
bit of the 
result 
is 1 if the 
corresponding 
bits of the operands 
are differ- 
ent; each bit is 0 if the corresponding 
bits are 


the 
same. 
The 
answer 
replaces 
the 
first 
operand. 


PROTECTED 
MODE EXCEPTIONS 


#GP(O) 
if the 
result 
is in a non-writable 
segment. 
#GP(O) 
for 
an 
illegal 
memory 
operand 
effective 
address 
in the CS, OS, or 
ES segments; 
#SS(O) for an illegal address 
in 
the SS segment. 


REAL ADDRESS MODE EXCEPTIONS 


Interrupt 
13 for 
a word 
operand 
at 
offset 
OFFFFH. 
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iAPX 286/10 
HIGH PERFORMANCE 
MICROPROCESSOR 


WITH MEMORY MANAGEMENT 
AND PROTECTION 


• 
High Performance 
8 and 10 MHz 


Processor (Up to six times IAPX 86) 


• 
Large Address Space: 
-16-Megabytes 
Physical 


-1 
Gigabyte Virtual per Task 


• 
Integrated Memory Management, 
Four- 


Level Memory Protection and Support 
for Virtual Memory and Operating 
Systems 
• 
Two IAPX 86 Upward Compatible 
Operating Modes: 
-IAPX 
86 Real Address Mode 


-Protected 
Virtual Address Mode 


• 
Optional Processor Extension: 
-IAPX 
286/20 High Performance 8o-blt 


-Numeric Data Processor 
• 
Complete System Development 
Support: 
-Development 
Software: Assembler, 


PUM, Pascal, FORTRAN, and System 
Utilities 
-In-Clrcult-Emulator 
(ICE T. -286) 


• 
High Bandwidth Bus Interface 
(8 or 10 Megabyte/see) 


• Available 
In EXPRESS: 
-Standard 
Temperature 
Range 


The iAPX 286/10 (80286 part number) 
is an advanced, 
.high-performance 
microprocessor 
with specially 
optimized 
capabilities 
for multiple 
user and multi-tasking 
systems. 
The 80286 
has built-in 
memory 
protection 
that supports 
operating 
system and task isolation as well as program and data privacy within tasks. A 10 MHz iAPX 286/10 provides 
up to six times greater throughput 
than the standard 
5 MHz iAPX 86/10. The 80286 includes 
memory 
management 
capabilities 
that map up to 230 bytes (one gigabyte) of virtual address space per task into 224 bytes (16 megabytes) 
of 
physical 
memory. 


The iAPX 286 is upward compatible 
with iAPX 86 and 88 software. 
Using iAPX 86 real address 
mode, the 80286 is 
object code compatible 
with existing 
iAPX 86, 88 software. 
In protected 
virtual address 
mode, the 80286 is source 
code compatible 
with iAPX 86, 88 software 
and may require 
upgrading 
to use virtual addresses 
supported 
by the 
80286's 
integrated 
memory management 
and protection 
mechanism. 
Both modes operate at full 80286 performance 
and execute a superset 
of the iAPX 86 and 88's instructions. 


The 80286 provides 
special operations 
to support the efficient 
implementation 
and execution 
of operating 
systems. 


For example, 
one instruction 
can end execution 
of one task, save its state, switch to a new task, load its state, and 
start execution 
of the new task. The 80286 also supports virtual memory systems by providing 
a segment-not-present 


exception 
and restartable 
instructions. 
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Table 1. Pin Description 


The following 
pin function descriptions 
are for the 80286 microprocessor: 


Symbol 
'TYpe 
Name and Function 


elK 
I 
System Clock provides the fundamental timing for iAPX 286 systems. It is divided by two inside 
the 80286 to generate 
the processor 
clock. 
The internal 
divide-by-two 
circuitry 
can 


be synchronized to an external clock generator by a lOW to HIGH transition on the RESET 
input. 


015-00 
1/0 
Data Bus inputs data during memory, 1/0, and interrupt acknowledge read cycles; outputs data 
during memory and 1/0 write cycles. The data bus is active HIGH and floats to 3-state OFF during 
bus hold acknowledge. 


A23-Ao 
0 
Address 
Bus outputs physical memory and 1/0 port addresses. AO is lOW when data is to be 


transferred on pins 07-0. A23-A16are lOW during 1/0 transfers. The address bus is active HIGH 
and floats to 3-state OFF during bus hold acknowledge. 


BHE 
0 
Bus High Enable indicates transfer of data on the upper byte of the data bus. 015=lL.Eight-bit 
oriented devices assigne<!.!Q..theupper byte of the data bus would normally use SHE to con- 
ditionchip selectfunctions. SHE is activelOW andfloatsto 3-stateOFF during bus hold acknowledge. 


SHEand AOEncodings 
SHEValue 
AOValue 
Function 


a 
a 
Wordtransfer 


a 
1 
Bytetransferonupperhalfofdatabus(0'5-8) 
1 
a 
Bytetransferonlowerhalfofdatabus(D7-0J 


1 
1 
Reserved 


Symbol 
l\jpe 
Name and Function 


S1,SO 
0 
Bus Cycle 
Status 
indicates 
initiation 
of a bus cycle and, along with MfIO 
and COD~, 
defines 
the type of bus cycle. 
The bus is in a Ts state 
whenever 
one or both 
are LOW. "ST and SO are 
active 
LOW and float to 3-state 
OFF during 
bus hold acknowledge. 


80286 Bus Cycle Status Definition 


CODflNTA 
MilO 
51 
SO 
Bus cycle Inllialed 


a (lOW) 
a 
a 
a 
Interrupt acknowledge 


a 
a 
a 
1 
Reserved 
a 
a 
1 
a 
Reserved 


a 
a 
1 
1 
None;not a slatus cycle 


a 
1 
a 
a 
IFA1~ 1lhen halt;else shutdown 


a 
1 
a 
1 
Memorydata read 


a 
1 
1 
a 
Memorydata write 


a 
1 
1 
1 
None; not a status cycle 
1 (HIGH) 
a 
a 
a 
Reserved 
1 
a 
a 
1 
If0 read 
1 
a 
1 
a 
1/0 write 
1 
a 
1 
1 
None; not a statuscycle 
1 
1 
a 
a 
Reserved 
1 
1 
a 
, 
Memory 
instruction 
read 
1 
1 
1 
a 
Reserved 
1 
1 
1 
, 
None; nol a slatuscycle 


M/IO 
0 
Memory/IO 
Select 
distinguishes 
memory 
access 
from 
I/O access. 
If HIGH 
during 
T 5' a memory 


cycle or a halt/shl!!9own 
cycle is in progress. 
If LOW, an I/O cycle or an interrupt 
acknowledge 
cycle 
is in progress. 
M/IO floats to 3-state OFF during bus hold acknowledge. 


COD/INTA 
a 
Code/Interrupt 
Acknowledge 
distinguishes 
instruction 
fetch cycles from memory 
data read cycles. 


Also distinguishes 
interrupt 
acknowledge 
cycles 
from 
I/O cycles. 
COD/INTA 
floats 
to 3-state 
OFF 


during bus hold acknowledge. 


LOCK 
0 
Bus Lock 
indicates 
that other system bus masters 
are not to gain control of the system 
bus following 


the current 
bus cycle. The LOCK signal may be activated 
explicitly 
by the "LOCK" 
instruction 
prefiX 


or automatically 
by 80286 
hardware 
during 
memory 
XCHG 
instructions, 
interrupt 
acknowledge, 
or 


descriptor 
table access. 
LOCK is active LOW and floats to 3-state OFF during bus hold acknowledge. 


READY 
I 
Bus Ready 
terminates 
a bus cycle. Bus cycles are extended 
without 
limit until terminated 
by READY 


LOW. READY 
is an active 
LOW synchronous 
input requiring 
setup 
and hold times 
relative 
to the 
system 
clock be met for correct 
operation. 
READY 
is ignored 
during bus hold acknowledge. 


HOLD 
I 
Bus Hold 
Request 
and 
Hold Acknowledge 
control 
ownership 
of the 80286 
local bus. The HOLD 


HLDA 
0 
input allows another 
local bus master to request 
control of the local bus. When control 
is granted, 
the 
80286 
will float its bus drivers 
to 3-state 
OFF and then activate 
HLDA, 
thus entering 
the bus hold 
acknowledge 
condition. 
The local 
bus will remain 
granted 
to the requesting 
master 
until 
HOLD 


becomes 
inactive 
which 
results 
in the 80286 
deactivating 
HLDA and regaining 
control 
of the local 


bus. This terminates 
the bus hold acknowledge 
condition. 
HOLD may be asynchronous 
to the system 


clock. These signals 
are active HIGH. 


INTR 
I 
Interrupt 
Request 
requests 
the 80286 
to suspend 
its current 
program 
execution 
and service 
a 
pending 
external 
request. 
Interrupt 
requests 
are masked 
whenever 
the interrupt 
enable 
bit in the 


flag word 
is cleared. 
When 
the 80286 
responds 
to an interrupt 
request, 
it performs 
two interrupt 


acknowledge 
bus cycles to read an 8-bit interrupt 
vector that identifies 
the source 
of the interrupt. 
To 


assure 
program 
interruption, 
INTR must remain 
active until the first interrupt 
acknowledge 
cycle 
is 


completed. 
INTR is sampled 
at the beginning 
of each processor 
cycle and must be active 
HIGH at 


least two processor 
cycles 
before 
the current 
instruction 
ends in order to interrupt 
before 
the next 


instruction. 
INTR is level sensitive, 
active HIGH, and may be asynchronous 
to the system 
clock. 


NMI 
I 
Non-maskable 
Interrupt 
Request 
interrupts 
the 80286 with an internally 
supplied 
vector 
value of 


2. No interrupt 
acknowledge 
cycles 
are performed. 
The interrupt 
enable 
bit in the 80286 
flag word 


does not affect this input. The NMI input is active HIGH, may be asynchronous 
to the system 
clock, 


and is edge triggered 
after 
internal 
synchronization. 
For proper 
recognition, 
the input 
must 
have 


been previously 
LOW for at least four system 
clock cycles and remain 
HIGH for at least four system 


clock cycles. 


Symbol 
Type 
Name and Function 


PEREQ 
I 
Processor Extension Operand Request and Acknowledge 
extend the memory management and protection I 


PEACK 
0 
capabilities of the 80286 to processor extensions. The PEREQ input requests the 80286 to perform a data, 
operand transfer for a processor extension. The 'PE7iCK 
output signals the processor extension when the, 


requested operand is being transferred. PEREQ is active HIGH and floats to 3-state OFF during bus holdl 
acknowledge. 'PE7iCK may be asynchronous to the system clock. 'PE7iCK is active LOW. 


BUSY 
I 
Proce88or 
Extension 
Busy and Error 
indicate 
the operating 
condition 
of a processor 
extension 


ERROR 
I 
to the 80286. 
An active BtmY input 
stops 
80286 
program 
execution 
on WAIT 
and some 
ESC 
instructions 
until BtmY becomes 
inactive 
(HIGH). 
The 80286 
may be interrupted 
while 
waiting 


for BtmY to become 
inactive. 
An active E'RRUR'input causes 
the 80286 to perform 
a processor 


extension 
interrupt 
when 
executing 
WAIT 
or some 
ESC instructions. 
These 
inputs 
are active 


LOW and may be asynchronous 
to the system 
clock. 


RESET 
I 
System 
Reset 
clears 
the internal 
logic of the 80286 
and is active 
HIGH. 
The 80286 
may be re- 


initialized 
at any time with a LOW to HIGH transition 
on RESET 
which 
remains 
active for more than 


16 system 
clock cycles. 
During 
RESET 
active, 
the output 
pins of the 80286 
enter the state shown 


below: 


80286 Pin State During 
Reset 


Pin Value 
Pin Names 


1 (HIGH) 
SO.J?1,PEACK.A23-AO.SHE. LOCK 


o (LOW) 
MilO. COD/INTA.HLDA 


3-stateOFF 
0,5-00 


Operation 
of the 80286 begins after a HIGH to LOW transition 
on RESET. The HIGH to LOW transi- 


tion of RESET 
must be synchronous 
to the system clock. Approximately 
50 system 
clock cycles 
are 


required 
by the 80286 
for internal 
initializations 
before 
the first bus cycle 
to fetch 
code 
from 
the 


power-on 
execution 
address 
is performed. 


A LOW to HIGH transition 
of RESET 
synchronous 
to the 
system 
clock 
will 
end 
a processor' 


cycle 
at the second 
HIGH to LOW transition 
of the system 
clock. 
The 
LOW to HIGH transition 


of RESET may be asynchronous 
to the system 
clock; 
however, 
in this case 
it cannot 
be prede- 


termined 
which 
phase 
of the processor 
clock 
will occur 
during 
the 
next 
system 
clock 
period. 


Synchronous 
LOW 
to 
HIGH 
transitions 
of 
RESET 
are 
required 
only 
for 
systems 
where 
the 


processor 
clock 
must 
be phase 
synchronous 
to another 
clock. 


VSS 
I 
System 
Ground: 
0 VOLTS. 


VCC 
I 
System 
Power: 
+ 5 Volt Power Supply. 


CAP 
I 
Substrate 
Filter 
Capacitor: 
a 0.047fLf 
:!: 20% 12V capacitor 
must be connected 
between 
this pin 


and ground. 
This capacitor 
filters the output of the internal 
substrate 
bias generator. 
A maximum 
DC 


leakage 
current 
of 1 fLa is allowed 
through 
the capacitor. 


For correct 
operation 
of the 80286, 
the substrate 
bias generator 
must charge 
this capacitor 
to its 


operating 
voltage. 
The capacitor 
chargeup 
time is 5 milliseconds 
(max.) 
after VCC and CLK reach 


their specified 
AC and DC parameters. 
RESET 
may be applied 
to prevent 
spurious 
activity 
by the 


CPU 
during 
this lime. 
After 
this time, 
the 80286 
processor 
clock 
can be phase 
synchronized 
to 


another 
clock by pulsing 
RESET 
LOW !;ynchronous 
to the system 
clock. 


Introduction 


The 80286 
is an advanced, 
high-performance 
micro- 


processor 
with specially 
optimized 
capabilities 
for mul- 


tiple user and multi-tasking 
systems. 
Depending 
on the 


application, 
the 80286's 
performance 
is up to six times 


faster than the standard 
5 MHz 8086's, while providing 


complete upward software compatibility with Intel's iAPX 
86, 88, and 186 family of CPU's. 


The 80286 operates in two modes: iAPX 86 real address 
mode and protected 
virtual address mode. Both modes 


execute a superset of the iAPX 86 and 88 instruction set. 


In iAPX 86 real address 
mode programs 
use real ad- 


dresses with up to one megabyte of address space. Pro- 
grams use virtual addresses 
in protected virtual address 


mode, also called protected 
mode. In protected 
mode, 
the 80286 CPU automatically 
maps 1 gigabyte of virtual 


addresses 
per task into a 16 megabyte 
real address 


space. This mode also provides 
memory 
protection 
to 


isolate the operating 
system and ensure privacy of each 


tasks' programs and data. Both modes provide the same 
base instruction 
set, registers, and addressing 
modes. 


The following 
Functional 
Description 
describes first, the 


base 80286 architecture 
common to both modes, sec- 
ond, iAPX 86 real address 
mode, and third, protected 


mode. 


iAPX 286/10 BASE ARCHITECTURE 


The iAPX 86,88, 
186, and 286 CPU family all contain 


the same 
basic set of registers, 
instructions, 
and ad- 


dressing 
modes. The 80286 processor 
is upward com- 
patible with the 8086, 8088, and 80186 CPU's. 


16-811 
REGISTER 


NAME 


7 


SPECIAL 
REGISTER 
FUNCTIONS 


o 


} 


MULTIPLY/DIVIDE 


110 INSTRUCTIONS 


) 
LOOP/SHIFT/REPEAT 
COUNT 


} 
BASE REGISTERS 


} 
INDEX REGISTERS 


) 
STACK 
POINTER 


BYTE 
ADDRESSABLE 
(S·BIT 
REGISTER 
NAMES 
SHOWN) 


AH 
AL 


DH 
DL 


CH 
CL 


BH 
BL 
1 
:: 


cx 


BX 


BP 


The 80286 
base architecture 
has fifteen 
registers 
as 


shown in Figure 3. These registers are grouped into the 
following four categories: 


General 
Registers: 
Eight 16-bit general 
purpose 
reg- 


isters used to contain 
arithmetic 
and logical operands. 


Four of these (AX, BX, CX, and OX) can be used either 
in their entirety as 16-bit words or split into pairs of sep- 
arate 8-bit registers. 


Segment 
Registers: 
Four 16-bit special purpose 
reg- 


isters select, at any given time, the segments of memory 
that are immediately 
addressable 
for code, stack, and 


data. (For usage, refer to Memory Organization.) 


Base and Index Registers: 
Four of the general 
pur- 
pose registers may also be used to determine 
offset ad- 


dresses 
of operands 
in memory. 
These 
registers 
may 
contain 
base addresses 
or indexes 
to particular 
loca- 
tions within 
a segment. 
The addressing 
mode deter- 


mines the specific 
registers 
used for operand 
address 
calculations. 


Status and Control Registers: 
The 3 16-bit 
special 


purpose 
registers 
in figure 
3A record 
or control 
cer- 


tain aspects 
of the 80286 
processor 
state 
including 


the 
Instruction 
Pointer, 
which 
contains 
the 
offset 


address 
of 
the 
next 
sequential 
instruction 
to 
be 
executed. 


15 
0 
cs ~ 
CODE 
SEGMENT 
SELECTOR 


OS 
DATA SEGMENT 
SELECTOR 


SS 
STACK SEGMENT 
SELECTOR 


ES 
EXTRA SEGMENT 
SELECTOR 


SEGMENT 
REGISTERS 


15 
0 


F§FLAGS 


IP 
INSTRUCTION 
POINTER 


MSW 
MACHINE 
STATUS WORD 


STATUS AND CONTROL 
REGISTERS 


STATUS FLAGS: 


CARRY 


PARITY 


AUXILIARY CARRY 


ZERO 


SIGN 


OVERFLOW 


CONTROL FLAGS: 


TRAP FLAG 


INTERRUPT 
ENABLE 
DIRECTION 
FLAG 


SPECIAL FIELDS: 


ItO PRIVILEGE LEVEL 


NESTED TASK FLAG 


TASK SWITCH 


PROCESSOR 
EXTENSION EMULATED 
MONITOR PROCESSOR 
EXTENSION 


PROTECTION 
ENABLE 


Flags Word Description 


The Flags word (Flags) records specific characteristics 
of the result of logical and arithmetic 
instructions 
(bits 0, 
2,4,6,7, 
and 11) and controls the operation of the 80286 


within a given operating 
mode (bits 8 and 9). Flags is a 


16-bit register. The function 
of the flag bits is given in 


Table 2. 


Instruction Set 


The instruction 
set is divided into seven categories: 
data 


transfer, arithmetic, 
shift/rotate/logical, 
string manipula- 
tion, control 
transfer, 
high level instructions, 
and pro- 


cessor 
control. 
These 
categories 
are summarized 
in 


Figure 4. 


An 80286 
instruction 
can reference 
zero, one, or two 


operands; 
where an operand resides in a register, in the 


instruction 
itself, or in memory. 
Zero-operand 
instruc- 


tions (e.g. Nap 
and HLT) are usually one byte long. ane- 
operand instructions 
(e.g. INC and DEC) are usually two 


bytes long but some are encoded in only one byte. ane- 
operand 
instructions 
may reference 
a register or mem- 
ory location. Two-operand 
instructions 
permit the follow- 


ing six types of instruction 
operations: 


-Register 
to Register 


-Memory 
to Register 


-Immediate 
to Register 


-Memory 
to Memory 


-Register 
to Memory 


-Immediate 
to Memory 


Bit 
Name 
Function 
Position 


0 
CF 
Carry Flag-Set 
on high-order bit 


carry or borrow: cleared otherwise 


2 
PF 
Parity Flag-Set 
if low-order 8 bits 


of result contain an even number of 
1-bits; cleared otherwise 


4 
AF 
Set on carry from or borrow to the 
low order four bits of AL; cleared 
otherwise 


6 
ZF 
Zero Flag-Set 
if result is zero; 


cleared otherwise 


7 
SF 
Sign Flag-Set 
equal to high-order 


bitof result(0if positive,1ifnegative) 


11 
OF 
Overflow Flag-Set 
if result isa too- 


large pusitive numberor a too-small 
negativenumber(excludingsign-bit) 
to fit in destinationoperand; cleared 
otherwise 


8 
TF 
Single Step Flag-Once 
set, a sin- 


gle step interrupt occurs after the 
next instruction executes. TF is 
cleared by the single step interrupt. 


9 
IF 
Interrupt-enable Flag-When 
set, 


maskable interrupts will cause the 
CPU to transfer control to an inter- 
rupt vector specified location. 


10 
OF 
Direction 
Flag-Causes 
string 
instructions 
to auto decrement 


the appropriate 
index registers 


when set. Clearing 
OF causes 


auto increment. 


inter 


Two-operand instructions (e.g. MOV and ADD) are usu- 
ally three to six bytes long. Memory to memory opera- 
tions are provided by a special class of string instructions 
requiring one to three bytes. For detailed instruction for- 
mats and encodings refer to the instruction set summary 
at the end of this document. 


GENERAL PURPOSE 


MOV 
Move byte or word 


PUSH 
Push word onto stack 


POP 
Pop word off stack 


PUSHA 
Push all registers 
on stack 


POPA 
Pop all registers 
from stack 


XCHG 
Exchange 
byte or word 
t 


XLAT 
Translate 
byte 
" 


INPUT/OUTPUT 


IN 
Input byte or word 


OUT 
Output 
byte or word 


ADDRESS 
OBJECT 
, 


LEA 
Load effective 
address 


LOS 
Load pointer 
using OS 
,." 
~ 


LES 
Load pointer 
using ES 


FLAG TRANSFER 


LAHF 
Load AH register 
from flags 


SAHF 
Store AH register 
in flags 


PUSHF 
Push flags onto stack 


POPF 
Pop flags off stack 


MOVS 
Move byte or word string 


INS 
Input bytes or word string 


OUTS 
Output bytes or word string 


CMPS 
Compare 
byte or word string 


SCAS 
Scan byte or word string 


LOC,S 
Load byte or word string 


STOS 
Store byte or word string 


REP 
Repeat 


REPE/REPZ 
Repeat 
while equal/zero 


REPNEJREPNZ 
Repeat while not equal/not 
zero 


ADDITION 


ADD 
Add byte or word 


ADC 
Add byte or word with carry 


INC 
Increment 
byte or word by 1 


AAA 
ASCII adjust for addition 


DAA 
Decimal 
adjust for addition 


SUBTRACTION 


SUB 
Subtract 
byte or word 


SBB 
Subtract 
byte or word with borrow 


DEC 
Decrement 
byte or word by 1 


NEG 
Negate 
byte or word 


CMP 
Compare 
byte or word 


AAS 
ASCII adjust for subtraction 


DAS 
Decimal 
adjust for subtraction 


MULTIPLICATION 


MUL 
Multiply 
byte or word unsigned 


IMUL 
Integer 
multiply 
byte or word 


AAM 
ASCII adjust for multiply 


DIVISION 


DIV 
Divide byte or word unsigned 


IDIV 
Integer divide byte or word 


AAD 
ASCII adjust for division 


CBW 
Convert 
byte to word 


CWO 
Convert 
word to doubleword 


LOGICALS 


NOT 
"Not" 
byte or word 


AND 
"And" byte or word 


OR 
"Inclusive 
or" byte or word 


XOR 
"Exclusive 
or" byte or word 


TEST 
"Test" byte or word 


SHIFTS 


SHUSAL 
Shift logical/arithmetic 
left byte or word 


SHR 
Shift logical 
right byte or word 


SAR 
Shift arithmetic 
right byte or word 


ROTATES 


ROL 
Rotate left byte or word 


ROR 
Rotate right byte or word 


RCL 
Rotate through 
carry left byte or word 


RCR 
Rotate through 
carry right byte or word 


CONDITIONAL 
TRANSFERS 
UNCONDITIONAL 
TRANSFERS 


JAlJNBE 
Jump if above/not below nor equal 
CALL 
Call procedure 


JAElJNB 
Jump if above or equal/not below 
RET 
Return from procedure 


JB/JNAE 
Jump if below/not above nor equal 
JMP 
Jump 


JBE/JNA 
Jump if below or equal/not above 


JC 
Jump if carry 
ITERATION 
CONTROLS 


JE/JZ 
Jump if equal/zero 


JG/JNLE 
Jump if greater/not less nor equal 
LOOP 
Loop 


JGE/JNL 
Jump if greater or equal/not less 
LOOPE/LOOPZ 
Loop if equal/zero 


JUJNGE 
Jump if less/not greater nor equal 
LOOPNEILOOPNZ 
Loop if not equal/not zero 


JLElJNG 
Jump if less or equal/not greater 
JCXZ 
Jump if register CX = 0 


JNC 
Jump if not carry 


JNE/JNZ 
Jump if not equal/not zero 
INTERRUPTS 


JNO 
Jump if not overflow 


JNP/JPO 
Jump if not parity/parity odd 
INT 
Interrupt 


JNS 
Jump if not sign 
INTO 
Interrupt if overflow 


JO 
Jump if overflow 
IRET 
Interrupt return 


JP/JPE 
Jump if parity/parity even 


JS 
Jump if sign 


FLAG OPERATIONS 


STC 
Set carry flag 


CLC 
Clear carry flag 


CMC 
Complement carry flag 


STD 
Set direction flag 


CLD 
Clear direction flag 


STI 
Set interrupt enable flag 


CLI 
Clear interrupt enable flag 


EXTERNAL 
SYNCHRONIZATION 


HLT 
Halt until interrupt or reset 


WAIT 
Wait for BUSY not active 


ESC 
Escape to extension processor 


LOCK 
Lock bus during next instruction 


NO OPERATION 


NOP 
No operation 


EXECUTION 
ENVIRONMENT 
CONTROL 


LMSW I 
Load machine status word 


SMSW I 
Store machine status word 


ENTER 
Format stack for procedure entry 


LEAVE 
Restore stack for procedure exit 


BOUND 
Detects values outside prescribed range 


Memory Organization 


Memory 
is organized 
as sets of variable 
length 
seg- 


ments. Each segment 
is a linear contiguous 
sequence 


of up to 64K (216) S-bit bytes. Memory is addressed 
us- 


ing a two-component 
address 
(a pointer) that consists 


of a 16-bit segment 
selector, 
and a 16-bit offset. 
The 


segment 
selector 
indicates 
the 
desired 
segment 
in 


memory. The offset component indicates the desired byte 
address within the segment. 


" 
32·BIT 
POINTER 
. 
I 
SEGMENT 
I 
OFF,SET 
I 
" 


1615 
0 
1 


OPERAND 
SELECTED 


J 


Memory 
Segment 
Register 
Implicit 
Segment 


Reference 
Needed 
Used 
Selection 
Rule 


Instructions 
Code (CS) 
Automatic with instruction prefetch 


Stack 
Stack (SS) 
All stack pushes and pops. Any memory reference which uses BP as a 
base register. 


Local Data 
Data (OS) 
All data references except when relative to stack or string destination 


External (Global) Data 
Extra (ES) 
Alternate data segment and destination of string operation 


All instructions 
that address operands 
in memory must 


specify the segment and the offset. For speed and com- 
pact instruction 
encoding, 
segment 
selectors 
are usu- 


ally stored 
in the high speed 
segment 
registers. 
An 


instruction 
need specify only the desired segment 
reg- 


ister and an offset in order to address a memory operand. 


Most instructions 
need not explicitly specify which seg- 


ment register 
is used. The correct 
segment 
register is 


automatically 
chosen according 
to the rules of Table 3. 
These 
rules follow the way programs 
are written 
(see 


Figure 6) as independent 
modules that require areas for 


code and data, a stack, and access to external data areas. 


Special 
segment 
override 
instruction 
prefixes 
allow 


the 
implicit 
segment 
register 
selection 
rules 
to be 


overridden 
for special 
cases. 
The stack, 
data, 
and 


extra 
segments 
may coincide 
for simple 
programs. 


To access 
operands 
not residing 
in one of the four 


immediately 
available 
segments, 
a full 32-bit 
pointer 


or a new segment 
selector 
must be loaded. 


Addressing Modes 


The 80286 provides 
a total of eight addressing 
modes 


for instructions 
to specify 
operands. 
Two addressing 


modes are provided for instructions 
that operate on reg- 


ister or immediate 
operands: 


Register 
Operand 
Mode: The operand 
is located in 


one of the 8 or 16-bit general registers. 


Immediate 
Operand 
Mode. The operand is included 


in the instruction. 


Six modes are provided to specify the location of an op- 
erand 
in a memory 
segment. 
A memory 
operand 
ad- 


dress 
consists 
of two 
16-bit 
components: 
segment 


selector and offset. The segment selector is supplied by 
a segment 
register 
either implicitly 
chosen 
by the ad- 


dressing 
mode or explicitly chosen by a segment over- 
ride prefix. 
The offset 
is calculated 
by summing 
any 


combination 
of the following three address elements: 


the displacement 
(an 8 or 16-bit immediate 
value 


contained 
in the instruction) 


the 
base 
(contents 
of either 
the 
BX or BP base 


registers) 


the Index (contents of either the 51or DI index registers) 


r---' 
I 
I 


~ 
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MODULE 
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DATA 


PROCESS 
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EXTRA 


SEGMENT 
REGISTERS 
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J 
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Figure 
6. Segmented 
Memory 
Helps 
Structure 
Software 


Any carry out from the 16-bit addition is ignored. 
Eight- 


bit displacements 
are sign extended to 16-bit values. 


Combinations 
of these three address 
elements 
define 


the six memory addressing 
modes, described 
below. 


Direct 
Mode: 
The operand's 
offset is contained 
in the 


instruction 
as an 8 or 16-bit displacement 
element. 


Register 
Indirect 
Mode: The operand's 
offset is in one 


of the registers 51, DI, BX, or BP. 


Based Mode: The operand's 
offset is the sum of an 8 or 


16-bit displacement 
and the contents of a base register 


(BXorBP). 


Indexed Mode: The operand's 
offset is the sum of an 8 


or 16-bit displacement 
and the contents of an index reg- 


ister (SI or 01). 


Based Indexed Mode: The operand's 
offset is the sum 


of the contents of a base register and an index register. 


Based Indexed 
Mode with Displacement: 
The oper- 


and's offset is the sum of a base register's contents, an 
index register's contents, and an 8 or 16-bit displacement. 


Data Types 


The 80286 directly supports the following data types: 


Integer: 
A signed 
binary 
numeric 
value 
con- 
tained in an 8-bit byte or a 16-bit word. 
All operations 
assume 
a 2's comple- 


ment representation. 
Signed 32 and 64- 
bit integers are supported using the iAPX 
286/20 Numeric Data Processor. 


An unsigned 
binary numeric value con- 


tained in an 8-bit byte or 16-bit word. 


A 32-bit quantity, 
composed 
of a seg- 


ment selector component 
and an offset 


component. 
Each component 
is a 16-bit 


word. 


String: 
A 
contiguous 
sequence 
of 
bytes 
or 


words. A string may contain from 1 byte 
to 64K bytes. 


ASCII: 
A byte representation 
of alphanumeric 


and control characters 
using the ASCII 
standard of character 
representation. 


BCD: 
A byte (unpacked) 
representation 
of the 


decimal digits 0-9. 


Packed BCD: 
A byte (packed) 
representation 
of two 


decimal 
digits 0-9 
storing 
one digit in 


each nibble of the byte. 


Floating Point: 
A signed 32, 64, or 80-bit real number 
representation. 
(Floating point operands 


are supported 
using the iAPX 286/20 


Numeric Processor configuration.) 


Figure 
7 graphically 
represents 
the data types 
sup- 
ported by the iAPX 286. 


I/O Space 


The I/O space consists of 64K 8-bit or 32K 16-bit ports. 
I/O instructions 
address the I/O space with either an 8- 


bit port address, 
specified 
in the instruction, 
or a 16-bit 


port address in the OX register. 8-bit port addresses 
are 


zero extended 
such that A1s-Aa 
are LOW. I/O port ad- 


dresses 00F8(H) through OOFF(H) are reserved. 
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BINARY 
7 
+N 
0 
cooeo 
fTTTTTTTl 
DECIMAL L-:--J 


(BCD) 
DI~7~ 
N 


7 
+N 
0 


ASC"~ 


ASCII 
CHARACTERN 


7 
+N 
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PACKED 
f'TTTTTTT1 
BCD L..l---l 
L.-.J 


MOST 
SIGNIFICANT 
DIGIT 


+1 


~ 
BCD 
BCD 
DIGIT 1 
DIGIT 
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~ 
ASCII 
ASCII 
CHARACTER, 
CHARACTERo 


7 
+1 
07 
0 
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EEE:EJ 
L.-.J 


LEAST 
SIGNIFICANT 
DIGIT 


715 
+N 
0 
7115 
+1 
07/15 
0 
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STRING~ 
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BYTE/WORD 
N 
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MAGNITUDE 


inter 


Interrupt 
Related 
Return 
Address 
Function 
Before 
Instruction 
Number 
Instructions 
Causing 
Exception? 


Divide error exception 
0 
DIV,IDIV 
Yes 


Single step interrupt 
1 
All 


NMI interrupt 
2 
All 
, 


Breakpoint interrupt 
3 
INT 


INTO detected overflow exception 
4 
INTO 
No 


BOUND range exceeded exception 
5 
BOUND 
Yes 


Invalid opcode exception 
6 
Any undefined opcode 
Yes 
. 


Processor extension not available exception 
7 
ESCorWAIT 
Yes 


Reserved 
8-15 


Processor extension error interrupt 
16 
ESCorWAIT 
." 


Reserved 
17-31 


User defined 
32-255 


Interrupts 


An interrupt transfers 
execution to a new program loca- 


tion. The old program address (CS:IP) and machine state 
(Flags) 
are saved 
on the stack 
to allow 
resumption 


of the 
interrupted 
program. 
Interrupts 
fall 
into three 


classes: hardware initiated, INT instructions, 
and instruc- 


tion 
exceptions. 
Hardware 
initiated 
interrupts 
occur 


in response 
to an external 
input 
and 
are classified 


as non-maskable 
or maskable. 
Programs 
may cause 


an interrupt 
with an INT instruction. 
Instruction 
excep- 


tions 
occur 
when 
an unusual 
condition, 
which 
pre- 


vents further 
instruction 
processing, 
is detected 
while 


attempting 
to execute 
an instruction. 
The 
return 
ad- 


dress 
from 
an exception 
will always 
point 
at the in- 


struction 
causing the exception 
and include any leading 


instruction 
prefixes. 


A table containing 
up to 256 pointers defines the proper 


interrupt service routine for each interrupt. Interrupts 0- 
31, some of which are used for instruction 
exceptions, 
are reserved. 
For each interrupt, an 8-bit vector must be 


supplied 
to the 80286 which 
identifies 
the appropriate 


table entry. Exceptions 
supply the interrupt vector inter- 


nally. INT instructions 
contain 
or imply the vector and 


allow access to all 256 interrupts. 
Maskable 
hardware 


initiated 
interrupts 
supply 
the 8-bit vector to the CPU 


during 
an interrupt 
acknowledge 
bus sequence. 
Non- 


maskable 
hardware 
interrupts 
use a predefined 
inter- 


nally supplied vector. 


MASKABLE 
INTERRUPT 
(INTR) 


The 80286 provides 
a maskable 
hardware 
interrupt re- 


quest pin, INTR. Software 
enables this input by setting 


the interrupt 
flag bit (IF) in the flag word. All 224 user- 
defined 
interrupt 
sources 
can share this input, yet they 


can retain separate 
interrupt 
handlers. 
An 8-bit vector 
read by the CPU during the interrupt 
acknowledge 
se- 
quence 
(discussed 
in System 
Interface 
section) 
identi- 


fies the source of the interrupt. 


Further maskable 
interrupts 
are disabled 
while servic- 
ing an interrupt 
by resetting 
the IF but as part of the 


response 
to an interrupt 
or exception. 
The saved flag 
word will reflect the enable status of the processor 
prior 


to the interrupt. 
Until the flag word is restored to the flag 
register, the interrupt flag will be zero unless specifically 
set. The interrupt 
return instruction 
includes 
restoring 
the flag word, thereby restoring the original status of IF. 


NON-MASKABLE 
INTERRUPT 
REQUEST 
(NMI) 


A non-maskable 
interrupt 
input (NMI) is also provided. 


NMI has higher priority than INTR. A typical use of NMI 
would be to activate a power failure routine. The activa- 
tion of this input causes 
an interrupt 
with an internally 
supplied 
vector 
value 
of 2. No external 
interrupt 
ac- 


knowledge 
sequence 
is performed. 


While executing the NMI servicing procedure, 
the 80286 
will 
service 
neither 
further 
NMI 
requests, 
INTR 
re- 
quests, 
nor the processor 
extension 
segment 
overrun 
interrupt until an interrupt return (IRET) instruction 
is ex- 
ecuted orthe CPU is reset. If NMI occurs while currently 
servicing 
an NMI, its presence 
will be saved for servic- 


ing after executing the first IRET instruction. IF is cleared 
at the beginning 
of an NMI interrupt 
to inhibit 
INTR 
interrupts. 


The 80286 
has an internal 
interrupt 
that allows 
pro- 
grams to execute one instruction 
at a time. It is called the 
single step interrupt and is controlled 
by the single step 


flag bit (TF) in the flag word. Once this bit is set, an inter- 
nal single step interrupt will occur after the next instruc- 
tion has been executed. 
The interrupt 
clears the TF bit 
and uses an internally 
supplied 
vector of 1. The IRET 


instruction 
is used to set the TF bit and transfer control 


to the next instruction 
to be single stepped. 


Interrupt Priorities 


When simultaneous 
interrupt 
requests 
occur, they are 
processed 
in a fixed order as shown in Table 5. Interrupt 
processing involves saving the flags, return address, and 
setting CS:IP to point at the first instruction 
of the inter- 


rupt handler. If other interrupts 
remain enabled they are 


processed 
before the first instruction 
of the current in- 


terrupt handler is executed. The last interrupt processed 
is therefore 
the first one serviced. 


Order 
Interrupt 


1 
INT instruction or exception 


2 
Single step 


3 
NMI 


4 
Processor extension segment overrun 


5 
INTR 


Initialization and Processor Reset 


Processor 
initialization 
or start up is accomplished 
by 


driving the RESET input pin HIGH. RESET forces the 
80286 to terminate 
all execution 
and local bus activity. 


No instruction 
or bus activity will occur as long as RE- 


SET is active. After RESET 
becomes 
inactive and an 


internal 
processing 
interval elapses, 
the 80286 begins 


execution 
in real address 
mode with the instruction 
at 


physical 
location 
FFFFFO(H). 
RESET 
also sets some 


registers to predefined 
values as shown as shown in 
Table 6. 


Flag word 
Machine Status Word 
Instruction pointer 
Code segment 
Data segment 
Ex1rasegment 
Stack segment 


0002(H) 


FFFO(H) 


FFFO(H) 


FOOO(H) 
OOOO(H) 


OOOO(H) 
OOOO(H) 


Machine Status Word Description 


The machine 
status word (MSW) records when a task 
switch takes place and controls the operating 
mode of 
the 80286. 
It is a 16-bit register of which the lower four 
bits are used. One bit places the CPU into protected 
mode, while the other three bits, as shown in Table 7, 
control the processor 
extension interface. After RESET, 


this register contains 
FFFO(H) which places the 80286 
in iAPX 86 real address mode. 


Table 7. MSW Bit Functions 


Bit 
Name 
Function 
Position 


0 
PE 
~rotected mode ~nable places the 
80286 into protected mode and can 
not be cleared except by RESET. 


1 
MP 
~onitor 
Erocessor ex1ension al- 
lows WAIT instructions to cause a 
processor ex1ension not present 
exception (number 7). 


2 
EM 
Emulate 
processor 
extension 


causes a processor ex1ensionnot 
present exception (number 7) on 
ESC instructions to allow emulat- 
ing a processor extension. 


3 
TS 
Task switched indicates the next 
mstruCiion using a processor ex- 
tension will cause exception 7, al- 
lowing software to test whether the 
current processor extension con· 
text belongs to the current task. 


The LMSW and SMSW instructions 
can load and store 
the MSW in real address mode. The recommended 
use 
of TS, EM, and MP is shown in Table 8. 


Table 8. Recommended 
MSW Encodings 
For Processor 
Extension 
Control 


Instructions 
TS 
MP 
EM 
Recommended 
Use 
Causing 
EXc8j)tlon 
7 


0 
0 
0 
Initial 
encoding 
after 
RESET. 
iAPX 
286 
operation 
is 
identical 
to 
None 
iAPX 86,88. 


0 
0 
1 
No processor ex1ensionis available. Software will emulate its function. 
ESC 


1 
0 
1 
No processor extension is available. Software will emulate its function. The current 
ESC 
processor extension context may belong to another task. 


0 
1 
0 
A processor extension exists. 
None 


1 
1 
0 
A processor extension exists. The current processor extension context may belong 
ESCor 


to another task. The exception on WAIT allows software to test for an error pending 
WAIT 
from a previous processor extension operation. 


The HLT instruction 
stops program 
execution 
and pre- 


vents the CPU from using the local bus until restarted. 
Either NMI, INTR with IF = 1, or RESET will force the 
80286 out of halt. If interrupted, 
the saved CS:IP will 


point to the next instruction 
after the HLT. 


The 80286 executes a fully upward-compatible 
superset 


of the 8086 instruction 
set in real address mode. In real 


address mode the 80286 is object code compatible 
with 


8086 and 8088 software. 
The real address mode archi- 


tecture 
(registers 
and addressing 
modes) is exactly as 


described 
in the iAPX 286/10 Base Architecture 
section 


of this Functional 
Description. 


Memory Size 


Physical 
memory 
is a contiguous 
array 
of 
up 
to 


1,048,576 
bytes (one megabyte) 
addressed 
by pins 


Ao through 
A19 and 
SHE. A20 through 
A23 
may be 


ignored. 


Memory Addressing 


In real address 
mode the processor 
generates 
20-bit 


physical addresses 
directly from a 20-bit segment base 


address and a 16-bit offset. 


The selector 
portion 
of a pointer 
is interpreted 
as the 


upper 
16 bits of a 20-bit segment 
address. 
The lower 


four bits of the 20-bit segment address are always zero. 
Segment addresses, 
therefore, 
begin on multiples of 16 


bytes. See Figure 8 for a graphic 
representation 
of ad- 


dress formation. 


All segments 
in real address mode are 64K bytes in size 


and may be read, written, or executed. 
An exception 
or 


interrupt 
can occur if data operands 
or instructions 
at- 
tempt to wrap around the end of a segment (e.g. a word 
with its low order byte at offset 
FFFF(H) 
and its high 


order byte at offset OOOO(H)).If, in real address mode, 
the information 
contained 
in a segment does not use the 


full 64K bytes, the unused end of the segment 
may be 


overlayed 
by another segment to reduce physical mem- 


ory requirements. 


Reserved Memory Locations 


The 80286 reserves two fixed areas of memory in real 
address mode (see Figure 9); system initialization 
area 


and 
interrupt 
table 
area. 
Locations 
from 
addresses 


FFFFO(H) thorugh 
FFFFF(H) 
are reserved 
for system 


initialization. Initial execution begins at location FFFFO(H). 
Locations OOOOO(H)through 003FF(H) 
are reserved for 


interrupt vectors. 
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Figure 8. iAPX 86 Real Address Mode Address 


Calculation 


Figure 9. iAPX 86 Real Address Mode Initially 


Reserved Memory Locations 


Function 
Interrupt 
Related 
Return Address 


Number 
Instructions 
Before Instruction? 


Interrupt table limit too small exception 
8 
INTvector is not within table limit 
Yes 


Processor extension segment overrun 
9 
ESe with memory operand extend· 
No 


interrupt 
ing beyond offset FFFF(H) 


Segment overrun exception 
13 
Word memory reference with offset 
Yes 
= FFFF(H) or an attempt to exe· 
cute past the end of a segment 


Interrupts 


Table 9 shows the interrupt vectors reserved for excep- 
tions and interrupts 
which indicate an addressing 
error. 


The exceptions 
leave the CPU in the state existing be- 


fore attempting 
to execute the failing instruction 
(except 


for PUSH, 
POP, PUSHA, 
or paPA). 
Refer to the next 


section on protected 
mode initialization 
for a discussion 


on exception 
8. 


Protected Mode Initialization 


To prepare 
the 80286 for protected 
mode, the L1DT in- 


struction 
is used to load the 24-bit interrupt table base 


and 16-bit limit for the protected 
mode interrupt 
table. 
This instruction 
can also set a base and limit for the in- 


terrupt 
vector table in real address 
mode. After reset, 
the interrupt 
table base is initialized 
to OOOOOO(H)and 


its size set to 03FF(H). 
These 
values 
are compatible 


with iAPX 86, 88 software. 
L1DT should 
only be exe- 


cuted in preparation 
for protected 
mode. 


Shutdown 


Shutdown 
occurs when a severe error is detected 
that 


prevents 
further 
instruction 
processing 
by the CPU. 


Shutdown and halt are externally signalled via a halt bus 
operation. They can be distinguished 
by A1 HIGH for halt 


and A1 LOW for shutdown. 
In real address mode, shut- 


down can occur under two conditions: 


• 
Exceptions 
8 or 13 happen and the lOT limit does not 


include the interrupt vector. 


• 
A CALL, 
INT, or POP instruction 
attempts 
to wrap 


around the stack segment when SP is not even. 


An NMI input can bring the CPU out of shutdown 
if the 


lOT limit is at least OOOF(H) and 'SP is greater 
than 


0005(H), otherwise 
shutdown can only be exited via the 


RESET input. 


The 80286 executes a fully upward-compatible 
superset 
of the 8086 instruction 
set in protected 
virtual address 
mode (protected 
mode). Protected 
mode also provides 
memory management 
and protection 
mechanisms 
and 
associated 
instructions. 


The 80286 enters protected 
virtual address mode from 
real address 
mode by setting 
the PE (Protection 
En- 


able) bit of the machine 
status word with the Load Ma- 
chine Status Word (LMSW) instruction. 
Protected mode 
offers extended 
physical 
and virtual 
memory 
address 
space, memory protection 
mechanisms, 
and new oper- 
ations to support operating systems and virtual memory. 


All registers, 
instructions, 
and addressing 
modes 
de- 
scribed in the iAPX 286/10 Base Architecture 
section of 
this Functional 
Description 
remain the same. Programs 
for the iAPX 86, 88, 186, and real address mode 80286 
can be run in protected 
mode; however, embedded 
con- 
stants for segment selectors 
are different. 


Memory Size 


The protected 
mode 80286 provides a 1 gigabyte virtual 
address 
space 
per task mapped 
into a 16 megabyte 
physical address space defined by the address pins A23- 
Ao and SHE. The virtual address 
space may be larger 
than the physical 
address 
space since any use of an 
address that does not map to a physical memory 
loca- 
tion will cause a restartable 
exception. 


Memory Addressing 


As in real address 
mode, protected 
mode uses 32-bit 
pointers, 
consisting 
of 16-bit selector 
and offset com- 


ponents. 
The selector, however, specifies 
an index into 
a memory resident table rather than the upper 16-bits of 
a real memory address. The 24-bit base address of the 


desired segment is obtained from the tables in memory. 
The 16-bit offset is added to the segment base address 
to form the physical address as shown in Figure 10. The 
tables are automatically 
referenced 
by the CPU when- 
ever a segment 
register 
is loaded 
with a selector. 
All 
iAPX 286 instructions 
which load a segment register will 
reference 
the memory 
based tables without additional 
software. 
The memory based tables contain 8 byte val- 
ues called descriptors. 


SEGMENT 
) ~~;~:I~~OR 
DESCRIPTOR 
TABLE 


DESCRIPTORS 


Descriptors 
define the use of memory. Special types of 
descriptors 
also define new functions for transfer of con- 
trol and task switching. 
The 80286 
has segment 
de- 
scriptors for code, stack and data segments, 
and system 
control descriptors for special system data segments and 
control 
transfer 
operations. 
Descriptor 
accesses 
are 
performed 
as locked bus operations 
to assure descrip- 
tor integrity in multi-processor 
systems. 


CODE AND DATA SEGMENT 
DESCRIPTORS 


Besides 
segment 
base addresses, 
code and data de- 
scriptors 
contain 
other 
segment 
attributes 
including 
segment size (1 to 64K bytes), access rights (read only, 
read/write, 
execute only, and execute/read), 
and pres- 
ence in memory (for virtual memory systems) 
(See Fig- 
ure 11). Any segment usage violating a segment attribute 
indicated 
by the segment 
descriptor 
will prevent 
the 
memory cycle and cause an exception or interrupt. 
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Bit 
Name 
Function 
Position 
7 
Present 
(P) 
P=l 
Segment 
is mapped 
into physical 
memory. 


P=O 
No mapping 
to physical 
memory 
exists, base and limit are not used. 
6-5 
Descriptor 
Privilege 
Segment 
privilege 
attribute 
used in privilege 
tests. 


Level (DPL) 
4 
Segment 
Descrip- 
S=l 
Code or Data segment 
descriptor 
tortS) 
S=O 
Non-segment 
descriptor 
3 
Executable 
(E) 
E=O 
Data segment 
descriptor 
type is: 
2 
Expansion 
Direc- 
ED=O 
Grow up segment, 
offsets 
must be '" limit. 


tion(ED) 
}~ 
ED=l 
Grow down segment, 
offsets 
must be > limit. 
segment 


1 
Writeable 
(W) 
W=O 
Data segment 
may not be written 
into. 
W=l 
Data segment 
may be written 
into. 
3 
Executable 
(E) 
E=l 
Cod. SegmooW"';plo ••"" ,,, 
j 
2 
Conforming 
(C) 
C=1 
Code segment 
may only be executed 
when CPL '" DPL. 
Code 


1 
Aeadable 
(A) 
A=O 
Code segment 
may not be read. 
segment 


A=l 
Code segment 
may be read. 


0 
Accessed 
(A) 
A=O 
Segment 
has not been accessed. 
A=l 
Segment 
selector 
has been loaded into segment 
register 
or used by 
selector 
test instructions. 


Code and data are stored 
in two types of segments: 


code 
segments 
and data segments. 
Both types 
are 


identified 
and defined 
by segment 
descriptors. 
Code 


segments 
are identified 
by the executable 
(E) bit set to 


1 in the descriptor 
access rights byte. The access rights 


byte of both code and data segment 
descriptor 
types 


have three fields in common: 
present (P) bit, Descriptor 


Privilege 
Level (DPL), and accessed 
(A) bit. If P = 0, 
any attempted 
use of this segment will cause a not-pres- 


ent exception. 
DPL specifies 
the privilege 
level of the 


segment descriptor. DPL effects when the descriptor may 
be used by a task (refer to privilege 
discussion 
below). 


The A bit shows whether the segment 
has been previ- 
ously accessed 
for usage profiling, a necessity 
for vir- 
tual memory 
systems. 
The CPU will always set this bit 


when accessing 
the descriptor. 


Data segments 
(S = 1, E =0) may be either read-only or 


read-write 
as controlled 
by the W bit of the access rights 


byte. Read-only 
(W = 0) data segments 
may not be writ- 


ten into. Data segments 
may grow in two directions, 
as 


determined 
by the Expansion 
Direction 
(ED) bit: up- 


wards 
(ED = 0) for 
data 
segments, 
and 
downwards 


(ED = 1) for a segment containing 
a stack. The limit field 


for a data segment 
descriptor 
is interpreted 
differently 


depending 
on the ED bit (see Figure 11). 


A code 
segment 
(S=1, 
E=1) 
may be execute-only 


or execute/read 
as determined 
by the Readable 
(R) 


bit. Code 
segments 
may never 
be written 
into and 


execute-only 
code segments 
(R=O) 
may not be read. 


A code 
segment 
may also 
have an attribute 
called 


conforming 
(C). A conforming 
code segment 
may be 


shared 
by programs 
that execute 
at different 
privi- 


lege levels. The DPL of a conforming 
code segment 


defines 
the 
range 
of 
privilege 
levels 
at which 
the 


segment 
may be executed 
(refer to privilege 
discus- 


sion below). The limit field identifies 
the last byte of 


a code segment. 


SYSTEM 
CONTROL 
DESCRIPTORS 


In addition 
to code and data segment 
descriptors, 
the 


protected 
mode 80286 defines system control descrip- 


tors. These descriptors 
define special system data seg- 


ments and control transfer mechanisms 
in the protected 


environment. 
The 
special 
system 
data segment 
de- 
scriptors 
define segments 
which contain tables of de- 


scriptors 
(Local 
Descriptor 
Table 
Descriptor) 
and 


segments 
which contain 
the execution 
state of a task 


(Task State Segment Descriptor). 


The control transfer descriptors are call gates, task gates, 
interrupt 
gates and trap gates. Gates provide a level of 


indirection 
between 
the source 
and destination 
of the 


control transfer. This indirection 
allows the CPU to au- 


tomatically 
perform 
protection 
checks 
and control the 


entry point of the destination. 
Call gates are used to 


change 
privilege 
levels (see Privilege), 
task gates are 


used to perform 
a task switch, 
and interrupt 
and trap 


Name 
Value 
Description 


TYPE 
1 
Available Task State Segment 
2 
Local Descriptor Table Descriptor 


3 
Busy Task State Segment 


P 
0 
Descriptor contents are not valid 


1 
Descriptor contents are valid 


DPL 
0-3 
Descriptor Privilege Level 


BASE 
24-bil 
Base Address of special system data 


number 
segment in real memory 


LIMIT 
16-bit 
Offset of last by1ein segment 
number 


gates are used to specify interrupt service routines. The 
interrupt 
gate disables 
interrupts 
(resets 
IF) while the 
trap gate does not. 


Figure 12 gives the formats for the special system data 
segment 
descriptors. 
The descriptors 
contain 
a 24-bit 


base address of the segment and a 16-bit limit. The ac- 
cess byte defines 
the type of descriptor, 
its state and 
privilege level. The descriptor 
contents are valid and the 
segment 
is in physical 
memory 
if P = 1. If P = 0, the 
segment 
is not valid. The DPL field is only used in Task 
State Segment 
descriptors 
and indicates 
the privilege 
level at which 
the descriptor 
may be used (see Privi- 


lege). Since the Local Descriptor 
Table descriptor 
may 
only be used by a special privileged instruction, 
the DPL 
field is not used. Bit 4 of the access byte is 0 to indicate 
that it is a system control descriptor. The type field spec- 
ifies the descriptor 
type as indicated in Figure 12. 


Figure 13 shows the format of the gate descriptors. 
The 
descriptor 
contains 
a destination 
pointer that points to 
the descriptor 
of the target segment and the entry point 


offset. The destination 
selector in an interrupt gate, trap 
gate, and call gate must refer to a code segment 
de- 
scriptor. These gate descriptors 
contain the entry point 
to prevent 
a program 
from constructing 
and using an 


illegal entry point. Task gates may only refer to a task 
state segment. 
Since task gates invoke a task switch, 


the destination 
offset is not used in the task gate. 


Exception 
13 is generated 
when the gate is used if a 
destination 
selector 
does not refer to the correct 
de- 


Gate Descriptor 
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Name 
Value 
Description 


4 
-Call Gate 


TYPE 
5 
-Task Gate 
6 
-Interrupt Gate 
7 
-Trap Gate 


P 
0 
-Descriptor Contents are not 


valid 
1 
-Descriptor Contents are 
valid 


DPL 
0-3 
Descriptor Privilege Level 


WORD 
Number of words to copy 


COUNT 
0-31 
from callers stack to called 
procedures stack. Only used 
with call gate. 


Selector to the target code 


DESTINATION 
16-bit 
segment (Call, Interrupt or 


SELECTOR 
selector 
TrapGate) 
Selector to the target task 
state segment (TaskGate) 


DESTINATION 
16-bit 
Entry point within the target 


OFFSET 
ollset 
code segment 


scriptor type. The word count field is used in the call gate 
descriptor 
to indicate the number of parameters 
10-31 


words) to be automatically 
copied from the caller's stack 


to the stack of the called routine when a control transfer 
changes privilege levels. The word count field is not used 
by any other gate descriptor. 


The access byte format is the same for all gate descrip- 
tors. P = 1 indicates that the gate contents are valid. P 
= 0 indicates the contents are not valid and causes ex- 


ception 
11.if referenced. 
OPL is the descriptor 
privilege 


levei and specifies when this descriptor 
may be used by 


a task (refer to privilege 
discussion 
below). Bit 4 must 


equal 0 to indicate a system control descriptor. The type 
field specifies the descriptor 
type as indicated in Figure 


13. 


SEGMENT 
DESCRIPTOR 
CACHE REGISTERS 


A segment descriptor cache register is assigned to each 
of the four segment 
registers 
(CS, SS, OS, ES). Seg- 
ment descriptors 
are automatically 
loaded (cached) into 


a segment 
descriptor 
cache register (Figure 14) when- 
ever the associated 
segment 
register is loaded with a 


selector. Only segment 
descriptors 
may be loaded into 
segment 
descriptor 
cache 
registers. 
Once loaded, 
all 
references 
to that segment 
of memory 
use the cached 
descriptor 
information 
instead of reaccessing 
memory. 


The descriptor 
cache 
registers 
are not visible 
to pro- 


grams. No instructions 
exist to store their contents. They 


only change when a segment register is loaded. 


SELECTOR 
FIELDS 


A protected 
mode selector 
has three fields: descriptor 
entry index, local or global descriptor table indicator (TI), 
and selector privilege (RPL) as shown in Figure 15. These 
fields select one of two memory based tables of descrip- 
tors, select the appropriate 
table entry and allow high- 


speed testing of the selector's 
privilege 
attribute 
(refer 
to privilege discussion 
below). 
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LOCAL 
AND GLOBAL 
DESCRIPTOR 
TABLES 


Two tables of descriptors, 
called descriptor tables, con- 
tain all descriptors accessible by a task at any given time. 
A descriptor 
table is a linear array of up to 8192 descrip- 


tors. The upper 13 bits of the selector value are an index 
into a descriptor 
table. Each table has a 24-bit base reg- 


ister to locate the descriptor 
table in physical 
memory 


and a 16-bit limit register that confine descriptor 
access 


to the defined limits of the table as shown in Figure 16. A 
restartable exception (13) will occur if an attempt is made 
to reference 
a descriptor 
outside the table limits. 


One table, 
called the Global 
Descriptor 
Table (GDT), 
contains descriptors 
available to all tasks. The other ta- 
ble, called the Local Descriptor 
Table (LDT), contains 


descriptors 
that can be private to a task. Each task may 


have its own private LDT. The GDT may contain all de- 
scriptor types except interrupt and trap descriptors. 
The 


LDT may contain only segment, task gate, and call gate 
descriptors. 
A segment cannot be accessed 
by a task if 


its segment descriptor 
does not exist in either descriptor 


table at the time of access. 
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Figure 16. Local and Global Descriptor 
Table Definition 


The LGDT and LLDT instructions 
load the base and limit 


of the global and local descriptor tables. LGDT and LLDT 
are protected. 
They may only be executed 
by trusted 


programs operating at level O. The LGDT instruction loads 
a six byte field containing the 16-bit table limit and 24-bit 
base address 
of the Global Descriptor 
Table as shown 


in Figure 17.The LLDT instruction loads a selector which 
refers to a Local Descriptor 
Table descriptor 
containing 


the base address and limit for an LDT, as shown in Fig- 
ure 12. 
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Figure 17. Global Descriptor Table and Interrupt 


Descriptor Table Data Type 


INTERRUPT 
DESCRIPTOR 
TABLE 


The protected 
mode 80286 has a third descriptor table, 


called the Interrupt 
Descriptor 
Table (IDT) (see Figure 


18), used to define up to 256 interrupts. 
It may contain 


only task gates, interrupt gates and trap gates. The IDT 
(Interrupt 
Descriptor Table) has a 24-bit base and 16-bit 


limit register in the CPU. The protected 
L1DT instruction 


loads these registers 
with a six byte value of identical 


form to that of the LGDT instruction 
(see Figure 17 and 


Protected 
Mode Initialization). 


INTERRUPT 
DESCRIPTOR 
TABLE 
(lOT) 
GATE 
FOR 
INTERRUPT 
.01 


GATE FOR 
INTERRUPT 
#0 


References 
to IDT entries 
are made via INT instruc· 


tions, external interrupt vectors, or exceptions. 
The IDT 


must be at least 256 bytes in size to allocate space for 
all reserved 
interrupts. 


Privilege 


The 80286 has a four-level hierarchical 
privilege system 


which controls the use of privileged 
instructions 
and ac- 


cess to descriptors (and their associated segments) within 
a task. Four-level privilege, as shown in Figure 19, is an 
extension of the user/supervisor 
mode commonly found 


in minicomputers. 
The privilege 
levels are numbered 
0 


through 3. Level 0 is the most privileged 
level. Privilege 


HIGH SPEED 
OPERATING 
SYSTEM 
INTERFACE 


CPU 
ENFORCED 
SOFTWARE 
INTERFACES 


levels provide 
protection 
within a task. (Tasks are iso- 
lated by providing 
private LDT's for each task.) Operat- 
ing system routines, interrupt handlers, and other system 
software 
can be included 
and protected 
within the vir- 


tual address space of each task using the four levels of 
privilege. Tasks may also have a separate stack for each 
privilege level. 


Tasks, descriptors, 
and selectors 
have a privilege 
level 


attribute that determines 
whether the descriptor 
may be 


used. Task privilege 
effects the use of instructions 
and 


descriptors. 
Descriptor and selector privilege only effect 


access to the descriptor. 


TASK PRIVILEGE 


A task always executes at one of the four privilege levels. 
The task privilege 
level at any specific instant is called 


the Current 
Privilege 
Level (CPL) and is defined by the 


lower two bits of the CS register. CPL cannot change 
during execution in a single code segment. A task's CPL 
may only be changed 
by control transfers 
through gate 


descriptors 
to a new code segment (See Control Trans- 


fer). Tasks begin executing 
at the CPL value specified 


by the code segment when the task is initiated via a task 
switch operation. 
A task executing at Level 0 can access 


all data segments 
defined in the GDT and the task's LDT 


and is considered 
the most trusted level. A task execut- 


ing at Level 3 has the most restricted access to data and 
is considered 
the least trusted level. 


DESCRIPTOR 
PRIVILEGE 


Descriptor 
privilege 
is specified 
by the Descriptor 
Privi- 


lege Level (DPL) field of the descriptor access byte. DPL 
specifies 
the least trusted 
task privilege 
level (CPL) at 


which a task may access the descriptor. Descriptors with 
DPL = 0 are the most protected. 
Only tasks executing 


at privilege 
level 0 (CPL 
= 0) may access them. De- 


scriptors with DPL = 3 are the least protected 
(I.e. have 


the least restricted access) since tasks can access them 
when CPL = 0, 1, 2, or 3. This rule applies to all descrip- 
tors, except LDT descriptors. 


SELECTOR 
PRIVILEGE 


Selectbr 
priVilege is specified 
by the Requested 
Privi- 


lege Level (RPL) field in the least significant two bits of a 
selector. Selector RPL may establish a less trusted priv- 
ilege level than the current priVilege level for the use of a 
selector. This level is called the task's effective privilege 
level (EPL). RPL can only reduce the scope of a task's 
access to data with this selector. A task's effective privi- 
lege is the numeric maximum 
of RPL and CPL. A selec- 


tor with RPL = 0 imposes no additional 
restriction on its 


use while a selector with RPL = 3 can only refer to seg- 
ments at privilege 
Level 3 regardless 
of the task's CPL. 


RPL is generally 
used to verify that pointer parameters 


passed to a more trusted procedure 
are not allowed to 


use data at a more privileged 
level than the caller (refer 


to pointer testing instructions). 


Descriptor 
Access and Privilege Validation 


Determining 
the ability of a task to access a segment 


involves 
the type of segment 
to be accessed, 
the in- 


struction 
used, the type of descriptor 
used and CPL, 


RPL, and DPL. The two basic types 
of segment 
ac- 


cesses 
are control transfer 
(selectors 
loaded into CS) 


and data (selectors 
loaded into DS, ES or SS). 


DATA SEGMENT 
ACCESS 


Instructions 
that load selectors 
into DS and ES must 


refer to a data segment descriptor or readable code seg- 
ment descriptor. The CPL of the task and the RPL of the 
selector 
must be the same as or more privileged 
(nu- 


merically equal to or lower than) than the descriptor DPL. 
In general, a task can only access data segments 
at the 


same 
or less privileged 
levels than the CPL or RPL 


(whichever 
is numerically 
higher) to prevent a program 


from accessing 
data it cannot be trusted to use. 


An exception 
to the rule is a readable conforming 
code 


segment. 
This type of code segment 
can be read from 


any privilege level. 


If the privilege 
checks fail (e.g. DPL is numerically 
less 


than the maximum of CPL and RPL) or an incorrect type 
of descriptor 
is referenced 
(e.g. gate descriptor 
or exe- 


cute only code segment) exception 
13 occurs. If the seg- 


ment is not present, exception 
11 is generated. 


-segmerii 
descriptors 
for writable 
data segments. 
The 


descriptor 
privilege 
(DPL) and RPL must equal CPL. All 
other descriptor 
types or a privilege 
level violation 
will 


cause exception 
13. A not present fault causes excep- 


tion 12. 


CONTROL TRANSFER 


Four types of control transfer can occur when a selector 
is loaded 
into CS by a control transfer 
operation 
(see 


Table 10). Each transfer type can only occur if the oper- 
ation which loaded the selector 
references 
the correct 


descriptor 
type. Any violation of these descriptor 
usage 


rules (e.g. JMPthrough 
a call gate or RETto a Task State 


Segment) 
will cause exception 
13. 


The ability to reference 
a descriptor 
for control transfer 


is also subject 
to rules of privilege. 
A CALL or JUMP 


instruction 
may only reference 
a code segment descrip- 


tor with DPL equal to the task CPL or a conforming 
seg- 
ment with DPL of equal or greater 
privilege 
than CPL. 


The RPL of the selector used to reference the code de- 
scriptor must have as much privilege as CPL. 


RET and IRET instructions 
may only reference 
code 


segment descriptors 
with descriptor privilege equal to or 
less privileged 
than the task CPL. The selector 
loaded 


into CS is the return address 
from the stack. After the 


return, the selector 
RPL is the task's new CPL. If CPL 


changes, the old stack pointer is popped after the return 
address. 


When a JMP or CALL references 
a Task State Segment 


descriptor, the descriptor 
DPL must be the same or less 


privileged than the task's CPL. Reference to a valid Task 
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Switch Operation). 
Reference 
to a Task State Segment 
descriptor 
at a more privileged 
level than the task's CPL 
generates 
exception 
13. 


When an instruction 
or interrupt 
references 
a gate de- 
scriptor, the gate DPL must have the same or less privi- 
lege than the task CPL. If DPL is at a more privileged 
level than CPL, exception 
13 occurs. 
If the destination 
selector 
contained 
in the gate references 
a code seg- 
ment descriptor, the code segment descriptor 
DPL must 
be the same or more privileged than the task CPL. If not, 
Exception 
13 is issued. 
After the control 
transfer, 
the 
code segment descriptors 
DPL is the task's new CPL. If 


the destination 
selector 
in the gate references 
a task 
state segment, 
a task switch is automatically 
performed 
(see Task Switch Operation). 


The privilege rules on control transfer require: 


-JMP 
or CALL direct to a code segment 
(code seg- 


ment descriptor) 
can only be to a conforming 
segment 


with DPL of equal or greater privilege than CPL or a 
non-conforming 
segment at the same privilege level. 


-interrupts 
within 
the task or calls that may change 
privilege 
levels, can only transfer 
control 
through 
a 
gate at the same or a less privileged 
level than CPL to 
a code segment 
at the same or more privileged 
level 
than CPL. 


-return 
instructions 
that don't switch tasks can only re- 
turn control 
to a code segment 
at the same or less 
privileged 
level. 


-task 
switch can be performed 
by a call, jump or inter- 


rupt which references 
either a task gate or task state 
segment at the same or less privileged 
level. 


Control Transfer Types 
Operation Types 
Descriptor 
Descriptor 


Referenced 
Table 


Intersegment 
within the same privilege 
level 
JMP, CALL, RET, IRET* 
Code Segment 
GOT/LOT 


Intersegment 
to the same or higher privilege 
level Interrupt 
CALL 
Cal/Gate 
GOT/LOT 
within task may change 
CPL. 
Interrupt 
Instruction, 
Trap or 
lOT 


Exception, 
External 
Interrupt 
Interrupt 
Gate 


Intersegment 
to a lower privilege 
level (changes 
task CPL) 
RET,IRET* 
.., 
Code Segment 
GOT/LOT 


CALL,JMP 
.' 
Task State 
GOT 


Segment 


Task Switch 
CALL,JMP 
Task Gate 
GOT/LOT 


IRET** 
Interrupt 
Instruction, 
Task Gate 
lOT 
Exception, 
External 


Interrupt 


"NT 
(Nested 
Task bit of flag word) 
~ 0 


""NT 
(Nested 
Task bit of flag word) 
= 1 


PRIVILEGE 
LEVEL CHANGES 


Any control transfer that changes 
CPL within the task, 


causes a change of stacks as part olthe operation. Initial 
values of SS:SP for privilege 
levels 0, 1, and 2 are kept 
in the task state segment 
(refer to Task Switch Opera- 
tion). During a JMP or CALL control transfer, the new 
stack pointer is loaded into the SS and SP registers and 
the previous stack pointer is pushed onto the new stack. 


When returning to the original privilege level, its stack is 
restored 
as part of the RET or IRET instruction 
opera- 
tion. For subroutine 
calls that pass parameters 
on the 


stack and cross privilege levels, a fixed number of words, 
as specified 
in the gate, are copied from the previous 


stack to the current 
stack. The inter-segment 
RET in- 
struction 
with a stack adjustment 
value will correctly 
re- 


store the previous stack pointer upon return. 


Protection 


The 80286 
includes 
mechanisms 
to protect critical in- 


structions 
that affect the CPU execution state (e.g. HLT) 


and code or data segments from improper usage. These 
mechanisms 
are grouped 
under the term "protection" 


and have three forms: 


Restricted 
usage of segments 
(e.g. no write allowed 
to read-only 
data 
segments). 
The 
only 
segments 


available for use are defined by descriptors 
in the Lo- 
cal Descriptor 
Table (LDT) and Global Descriptor Ta- 


ble(GDT). 


Restricted 
access to segments 
via the rules of privi- 
lege and descriptor. usage. 


Privileged 
instructions 
or operations 
that may only be 
executed 
at certain privilege 
levels as determined 
by 
the CPL and I/O Privilege 
Level (IOPL). The 10PL is 
defined by bits 14 and 13 of the flag word. 


These checks are performed 
for all instructions 
and can 
be split into three categories: 
segment load checks (Ta- 


ble 11), operand 
reference 
checks (Table 12), and privi- 
leged instruction 
checks (Table 13). Any violation of the 


rules shown will result in an exception. 
A not-present 


exception 
related to the stack segment 
causes excep- 
tion 12. 


The IRET and POPF instructions 
do not perform 
some 


of their defined functions 
if CPL is not of sufficient 
privi- 
lege (numerically 
small enough). No exceptions 
or other 
indication are given when these conditions occur. 


The IF bit is not changed if CPL > 10PL. 


The 10PL field of the flag word is not changed if CPL 
>0. 


Table 11 
Segment 
Register Load Checks 


Error Description 
Exception 
Number 


Descriptor 
table limit exceeded 
13 


Segment 
descriptor 
not-present 
110r12 


Privilege 
rules violated 
13 


Invalid descriptor/segment 
type seg- 
ment register 
load: 


-Read 
only data segment 
load to 
" 


SS 
-Special 
control 
descriptor 
load to 
DS,ES,SS 
13 


-Execute 
only segment 
load to 
DS, ES,SS 
-Data 
segment 
load to CS 
-Read/Execute 
code segment 
10adtoSS 


Error Description 
Exception 


Number 


Write into code segment 
13 
Read from execute-only 
code 
. 


segment 
13 
Write to read-only 
data segment 
13 
Segment 
limit exceeded' 
120r13 


Error Description 
Exception 


Number 


9PL 
'" 0 when executing 
the following 
instructions: 
13 


L1DT, LLDT, LGDT, LTR, LMSW, 
CTS,HLT 


CPL > IOPL when executing 
the fol, 
lowing instructions: 
13 


INS, IN, OUTS, 
OUT, STI, CLI, 


LOCK 


EXCEPTIONS 


The 80286 detects several types of exceptions 
and in- 
terrupts, 
in protected 
mode (see Table 14). Most are re- 


startable 
after 
the exceptional 
condition 
is removed. 


Interrupt 
handlers for most exceptions 
receive an error 


code, pushed on the stack after the return address, that 
identifies 
the selector 
involved 
(0 if none). The return 


address normally points to the failing instruction, 
includ- 
ing all leading prefixes. 
For a processor 
extension 
seg- 
ment overrun exception, the return address will not point 
at the ESC instruction 
that caused the exception; 
how- 


ever, the processor 
extension 
registers may contain the 


address of the failing instruction. 


Return 
Always 
Error 
Interrupt 
Function 
Address 
Restart- 
Code 
Vector 
At Failing 
able? 
on Stack? 
Instruction? 


8 
Doubleexceptiondetected 
Yes 
No 
Yes 
9 
Processorextensionsegmentoverrun 
No 
No 
No 
10 
Invalidtaskstatesegment 
Yes 
Yes 
Yes 
11 
Segmentnotpresent 
Yes 
Yes 
Yes 
12 
Stacksegmentoverrunor segmentnotpresent 
Yes 
Yes1 
Yes 
13 
Generalprotection 
Yes 
No 
Yes 


Note 1: WhenaPUSHAorPOPAinstructionattemptstowraparoundthestacksegment,themachinestateaftertheexceptionwillnotbe 
restartable.ThisconditionisidentifiedbythevalueofthesavedSPbeingeitherOOOO(H), 
0001 (H),FFFE(H),orFFFF(H). 


All these checks are performed for all instructions and 
can be split into three categories: segment load checks 
(Table 11), operand reference checks (Table 12), and 
priVileged instruction checks (Table 13). Any violation of 
the rules shown will result in an exception. A not-present 
exception related to the stack segment causes excep- 
tion 12. 


Special Operations 


TASK SWITCH 
OPERATION 


The 80286 provides a built-in task switch operation which 
saves the entire 80286 execution state (registers. ad- 
dress space. and a link to the previous task). loads a 
new execution state. and commences execution in the 
new task. Like gates. the task switch operation is in- 
voked by executing an inter-segment JMP or CALL in- 
struction which refers to a Task State Segment (TSS) or 
task gate descriptor in the GOT or LOT.An INT n instruc- 
tion, exception. or external interrupt may also invoke the 
task switch operation by selecting a task gate descriptor 
in the associated lOT descriptor entry. 


The TSS descriptor points at a segment (see Figure 20) 
containing the entire 80286 execution state while a task 
gate descriptor contains a TSS selector. The limit field 
must be > 002B(H). 


Each task must have a TSS associated with it. The cur- 
rent TSS is identified by a special register in the 80286 
called the Task Register (TR). This register contains a 
selector referring to the task state segment descriptor 
that defines the current TSS. A hidden .base and limit 
register associated with TR are loaded whenever TR is 
loaded with a new selector. 


The IRET instruction is used to return control to the task 
that called the current task or was interrupted. Bit 14 in 
the flag register is called the Nested Task (NT) bit. It 
controls the function of the IRET instruction. If NT = O. 
the IRET instruction performs the regular current task 
return; when NT = 1. IRET performs a task switch op- 
eration back to the previous task. 


When a CALL or INT instruction initiates a task switch. 
the old and new TSS will be marked busy and the back 
link field of the new TSS set to the old TSS selector. The 
NT bit of the new task is set by CALL or INT initiated task 
switches. An interrupt that does not cause a task switch 
will clear NT. NT may also be set or cleared by POPF or 
IRET instructions. 


The task state segment is marked busy by changing the 
descriptor type field from Type 1 to Type 3. Use of a 
selector that references a busy task state segment causes 
Exception 13. 


PROCESSOR 
EXTENSION 
CONTEXT 
SWITCHING 


The context of a processor extension (such as the 80287 
numerics processor) is not changed by the task switch 
operation. A processor extension context need only be 
changed when a different task attempts to use the pro- 
cessor extension (which still contains the context of a 
previous task). The 80286 detects the first use of a pro- 
cessor extension after a task switch by causing the pro- 
cessor extension not present exception (7). The interrupt 
handler may then decide whether a context change is 
necessary. 


Whenever the 80286 switches tasks. it sets the Task 
Switched (TS) bit of the MSW. TS indicates that a pro- 
cessor extension context may belong to a different task 
than the current one. The processor extension not pres- 
ent exception (7) will occur when attempting to execute 
an ESC or WAIT instruction if TS = 1 and a processor 
extension is present (MP = 1 in MSW). 


POINTER 
TESTING 
INSTRUCTIONS 


The iAPX 286 provides several instructions 
to speed 


pointer testing and consistency 
checks for maintain- 
ing system integrity 
(see Table 15). These instruc- 


tions 
use the memory 
management 
hardware 
to 


verify that a selector value refers to an appropriate 
segment without 
risking 
an exception. 
A condition 


flag (ZF) indicates 
whether 
use of the selector 
or 


segment will cause an exception. 
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15 


TASK 
LDT SELECTOR 


DSSELECTOR 


SS SELECTOR 


CSSELECTOR 


ESSELECTOR 


Dt 


SI 


BP 


SP 


BX 


CX 


AX 


FLAG 
WORD 


IP (ENTRY 
POINT) 


SSFOR 
CPL2 


SP FOR CPL2 


SS FOR CPL 
1 


SP FOR CPL 
1 


SS FOR CPLO 


SP FOR CPLO 


BACK 
LINK 
SELECTOR 
TO TSS 


TYPE 
DESCRIPTION 


1 
AN AVAILABLE 
TASK 
STATE 
SEGMENT. 
MAY BE USED 
AS 
THE 
DESTINATION 
OF A TASK 
SWITCH 
OPERATION. 


3 
A BUSY 
TASK 
STATE SEGMENT. 


CANNOT 
BE USED 
AS THE 
DESTINATION 
OF A TASK 
SWITCH. 


BYTE 
o 
OFFSET 


42 


40 


38 


38 


P 
DESCRIPTION 
1 
BASE 
AND 
LIMIT 
FIELDS 
ARE 
VALID 
0 
SEGMENT 
IS NOT PRESENT 
IN 
MEMORY, 
BASE 
AND 
LIMIT 
ARE 
NOT 
DEFINED 
34 


32 


30 


28 
CURRENT 
TASK 
26 
STATE 


24 


22 


20 


18 


16 


INITIAL 
STACKS 
FOR CPL 
0,1,2 


Instruction 
Operands 
Function 


ARPL 
Selector, 
Adjust 
Requested 
Privi- 


Register 
lege Level:adjuststhe RPL 
of the selector to the nu- 
meric maximum of current 
selector RPLvalue andthe 
RPL value in the register. 
Setzeroflag if selector RPL 
was changed. 


VERR 
Selector 
VERify for Read: sets the 
zero flag if the segment re- 
ferred to bythe selectorcan 
be read. 


VERW 
Selector 
VERify for Write: sets the 
zero flag if the segment re- 
ferred to bythe selectorcan 
be written. 


LSL 
Register, 
Load Segment Limit: reads 


Selector 
the segment limit into the 
registerifprivilegerulesand 
descriptor type allow. Set 
zero flag if successful. 


LAR 
Register, 
Load Access Rights: reads 


Selector 
the descriptoraccess rights 
byte into the register if priv- 
ilege rules allow. Set zero 
flag if successful. 


DOUBLE 
FAULT AND SHUTDOWN 


If two separate 
exceptions 
are detected during a single 


instruction 
execution, 
the 80286 
performs 
the double 


fault exception 
(8). If an exception 
occurs during pro- 


cessing of the double fault exception, the 82086 will en- 
ter shutdown. 
Ouring shutdown 
no further 
instructions 


or exceptions 
are processed. 
Either NMI (CPU remains 


in protected mode) or RESET (CPU exits protected mode) 
can force the 80286 out of shutdown. Shutdown is exter- 
nally signalled via a HALT bus operation with A1 HIGH. 


PROTECTED 
MODE INITIALIZATION 


The 80286 
initially 
executes 
in real 
address 
mode 


after RESET. To allow initialization 
code to be placed 


at the top of physical 
memory, 
A23-20 
will be HIGH 


when 
the 
80286 
performs 
memory 
references 


relative to the CS register 
until CS is changed. 
A23-20 


will 
be zero 
for 
references 
to the 
OS, ES, or SS 


segments. 
Changing 
CS in real address 
mode 
will 


force 
A23-20 
LOW whenever 
CS is used again. 
The 


initial CS:IP value of FOOO:FFFO 
provides 
64K bytes 


of code space for initialization 
code without 
chang- 


ing CS. 


Protected 
mode 
operation 
requires 
several 
regis- 


ters to be initialized. 
The GOT and lOT base regis- 
ters 
must 
refer 
to 
a valid 
GOT 
and 
lOT. 
After 


executing 
the LMSW instruction 
to set PE, the 80286 


must 
immediately 
execute 
an 
intra-segment 
JMP 


instruction 
to clear the instruction 
queue 
of instruc- 


tions decoded 
in real address 
mode. 


IU lur(;l' HIe ov",oo vt'u registers 
to matcn tne Inttlal 


protected 
mode state assumed 
by software, 
execute 
a JMP 
instruction 
with 
a selector 
referring 
to the 


initial TSS used in the system. 
This will load the task 


register, 
local 
descriptor 
table 
register, 
segment 


registers 
and 
initial 
general 
register 
state. 
The TR 


should 
point 
at a valid 
TSS 
since 
any task 
switch 


operation 
involves 
saving 
the current 
task state. 


The 80286 
system 
interface 
appears 
in two forms: 
a 


local bus and a system 
bus. The local bus consists 
of 


address, 
data, status, and control signals at the pins of 


the CPU. A system 
bus is any buffered 
version of the 


local bus. A system 
bus may also differ from the local 
bus in terms of coding of status and control lines and/or 
timing and loading of signals. 
The iAPX 286 family in- 


cludes 
several 
devices 
to generate 
standard 
system 


buses such as the IEEE 796 standard Multibus ,•. 


Bus Interface Signals and Timing 


The iAPX 286 microsystem local bus interfaces the 80286 
to local memory and I/O components. 
The interface has 


24 address lines, 16 data lines, and 8 status and control 
signals. 


The 80286 CPU, 82284 clock 
generator, 
82288 
bus 


controller, 
82289 
bus arbiter, 
8286/7 
transceivers, 


and 8282/3 
latches 
provide 
a buffered 
and decoded 


system 
bus 
interface. 
The 
82284 
generates 
the 


system clock and synchronizes 
REAOY and RESET. 


The 82288 converts 
bus operation 
status 
encoded 


by the 80286 into command 
and bus control 
signals. 


The 
82289 
bus 
arbiter 
generates 
Multibus 
bus 


arbitration 
signals. 
These 
components 
can provide 


the timing 
and electrical 
power 
drive levels 
required 


for most system bus interfaces 
including 
the Multibus. 


Physical Memory and I/O Interface 


A maximum 
of 16 megabytes 
of physical 
memory 
can 


be addressed 
in protected 
mode. One megabyte can be 


addressed 
in real address mode. Memory is accessible 


as bytes or words. Words consist of any two consecutive 
bytes addressed 
with the least significant 
byte stored in 


the lowest address. 


Byte transfers occur on either half of the 16-bit local data 
bus. Even bytes are accessed over 07-0 while odd bytes 
are transferred 
over 015-8' 
Even-addressed 
words are 


transferred 
over 015-0 
in one bus cycle, while odd-ad- 


dressed 
words 
require 
two bus operations. 
The first 


transfers 
data on 015-8, and the second transfers 
data 


on 07-0. 
Both byte data transfers 
occur automatically, 


transparent 
to software. 


Two bus signals, Ao and SHE, control transfers over the 
lower and upper halves of the data bus. Even address 


byte transfers 
are indicated by Ao LOW and SHE HIGH. 


Odd address 
byte transfers 
are indicated 
by Ao HIGH 
and SHE LOW. Both Ao and SHE are LOW for even ad- 
dress word transfers. 


The I/O address space contains 64K addresses 
in both 
modes. The I/O space is accessible 
as either bytes or 
words, as is memory. Byte wide peripheral devices may 
be attached to either the upper or lower byte of the data 
bus. Byte-wide 
I/O devices 
attached 
to the upper data 
byte (015-8) 
are accessed 
with odd I/O addresses. 
De- 


vices on the lower data byte are accessed with even 11.0 
addresses. 
An interrupt controller such as Intel's 8259A 
must be connected to the lower data byte (D7-{)) for proper 
return of the interrupt vector. 


Bus Operation 


The 80286 uses a double frequency 
system clock (CLK 


input) to control bus timing. All signals on the local bus 
are measured relative to the system CLK input. The CPU 
divides 
the system 
clock by 2 to produce 
the internal 
processor 
clock, which determines 
bus state. Each pro- 
cessor clock is composed 
of two system clock cycles 
named phase 1 and phase 2. The 82284 clock generator 
output (PCLK) identifies the next phase of the processor 
clock. (See Figure 21.) 
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Figure 21. System and Processor 
Clock Relationships 


Six types of bus operations..are supported; memory read, 
memory 
write, 
I/O read, 
I/O write, 
interrupt 
acknowl- 
edge, and halt/shutdown. 
Data can be transferred 
at a 
maximum rate of one word per two processor clock cycles. 


The iAPX 286 bus has three basic states: idle (Tj), send 
status (Ts),and perform command 
(Td. The 80286 CPU 
also has a fourth local bus state called hold (Th)' Th in- 
dicates that the 80286 has surrendered 
control of the 
local bus to another bus master in response to a HOLD 
request. 


Each bus state is one processor 
clock long. Figure 22 
shows 
the four 
80286 
local 
bus states 
and allowed 
transitions. 


Bus States 


The idle (Ti) state indicates 
that no data transfers 
are 
in progress 
or requested. 
The first 
active 
state 
(Ts) 


is signaled 
by status 
line S1 or SO going 
LOW and 
identifying 
phase 
1 of the 
processor 
clock. 
During 
TS' the command 
encoding, 
the address, 
and data 
(for a write 
operation) 
are available 
on the 
80286 
output 
pins. The 82288 
bus controller 
decodes 
the 
status 
signals 
and 
generates 
Multibus 
compatible 
read/write 
command 
and 
local 
transceiver 
control 
signals. 


After Ts' the perform 
command 
(Tc) state is entered. 


Memory 
or I/O devices 
respond 
to the bus operation 
during Tc' either transferring 
read data to the CPU or 
accepting write data. Tc states may be repeated as often 
as necessary to assure sufficient time for the memory or 
I/O device to respond. 
The REAm signal determines 
whether Tc is repeated. 


During hold (Th), the 80286 will float all address, 
data, 


and status output pins enabling 
another bus master to 
use the local bus. The 80286 HOLD input signal is used 
to place the 80286 into the T h state. The 80286 HLDA 
output signal indicates that the CPU has entered Th. 


Pipelined Addressing 


The 80286 uses a local bus interface with pipelined tim- 
ing to allow as much time as possible for data access. 
Pipelined timing allows bus operations 
to be performed 
in two processor 
cycles, while allowing each individual 
bus operation to last for three processor 
cycles. 


The timing of the address outputs is pipelined such that 
the address of the next bus operation becomes available 
during the current bus operation. 
Or in other words, the 
first clock of the next bus operation 
is overlapped 
with 
the last clock of the current 
bus operation. 
Therefore, 


address 
decode 
and routing 
logic can operate 
in ad- 
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vance of the next bus operation. External address latches 
may hold the address stable forthe entire bus operation, 
and provide additional AC and DC buffering. 


The 80286 does not maintain the address of the current 
bus operation 
during all Tc states. Instead, the address 


for the next bus operation 
may be emitted during phase 


2 of any Tc. The address 
remains valid during phase 1 


of the first Tc to guarantee 
hold time, relative to ALE, for 


the address latch inputs. 


Bus Control Signals 


The 82288 bus controller 
provides 
control signals; ad- 
dress latch enable (ALE), ReadlWrite 
commands, 
data 


transmit/receive 
(DT/R), 
and data enable 
(DEN) that 


control the address latches, data transceivers, 
write en- 


able, and output enable for memory and I/O systems. 


The Address Latch Enable (ALE) output determines when 
the address 
may be latched. ALE provides at least one 


system CLK period of address hold time from the end of 
the previous bus operation 
until the address for the next 


bus operation appears at the latch outputs. This address 
hold time is required to support Multibus<!l and common 
memory systems. 


The data bus transceivers 
are controlled 
by 82288 out- 


puts Data Enable (DEN) and Data TransmitIReceive 
(DT/ 


R). DEN enables the data transceivers; 
while DT/R con- 


trols transceiver 
direction. 
DEN and DT/R are timed to 


prevent 
bus contention 
between 
the bus master, data 


bus transceivers, 
and system data bus tranceivers. 


Command Timing Controls 


Two system timing customization 
options, command ex- 


tension and command 
delay, are provided on the iAPX 


286 local bus. 


Command 
extension 
allows additional 
time for external 


devices to respond to a command 
and is analogous 
to 
inserting wait states on the 8086. External logic can con- 
trol the duration 
of any bus operation 
such that the op- 


eration is only as long as necessary. 
The READY 
input 


signal 
can extend 
any bus operation 
for as long as 


necessary. 


Command 
delay allows an increase of address or write 


data setup time to system bus command 
active for any 


bus operation 
by delaying 
when the system 
bus com- 


mand becomes 
active. Command 
delay is controlled 
by 


the 82288 
CMDLY 
input. After 
Ts, the bus controller 
samples CMDLY at each failing edge of CLK. If CMDLY 
is HIGH, the 82288 will not activate the command signal. 
When CMDLY is LOW, the 82288 will activate the com- 
mand signal. After the command 
becomes 
active, the 


CMDLY input is not sampled. 


When a command 
is delayed, 
the available 
response 


time from command 
active to return read data or accept 


write data is less. To customize 
system 
bus timing, an 


address 
decoder 
can determine 
which bus operations 


require delaying the command. 
The CMDLY input doErs 


not affect the timing of ALE, DEN, or DT/R. 
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Figure 
24 illustrates 
four uses of CMDlY. 
Example 
1 


shows delaying the read command two system ClKs for 
cycle N-1 and no delay for cycle N, and example 2 shows 
delaying the read command 
one system ClK 
for cycle 


N-1 and one system ClK delay for cycle N. 


Bus Cycle Termination 


At maximum transfer rates, the iAPX 286 bus alternates 
between the status and command states. The bus status 
signals become 
inactive after T5 so that they may cor- 


rectly signal the start of the next bus operation 
after the 


completion 
of the current cycle. No external indication of 


Tc exists on the iAPX 286 local bus. The bus master and 
bus controller 
enter Tc directly after Ts and continue ex- 


ecuting Tc cycles ~ntil terminated 
by READY. 


READY Operation 


The current bus master and 82288 bus controller termi- 
nate 
each 
bus 
operation 
simultaneously 
to achieve 


maximum bus bandwidth. 
Both are informed in advance 


by READY active which identifies the last Tc cycle of the 


current bus operation. 
The bus master and bus control- 


ler must see the same sense of the READY signal, thereby 
requiring READY be synchronous 
to the system clock. 


Synchronous Ready 


The 82284 clock generator 
provides READY synchro- 


nization 
from 
both 
synchronous 
and 
asynchronous 


sources 
(see Figure 25). The synchronous 
ready input 


(SROY) of the clock generator is sampled with the falling 
edge of ClK 
at the end of phase 1 of each Tc. The state 


of SROY is then broadcast 
to the bus master and bus 


controller via the READY output line. 


Asynchronous Ready 


Many systems 
have devices 
or subsystems 
that are 


asynchronous to the system clock. As a result, their ready 
outputs cannot be guaranteed 
to meet the 82284 SROY 


setup and hold time requirements. 
The 82284 asynchro- 


nous ready input (AROY) is designed 
to accept 
such 


signals. The AROY input is sampled 
at the beginning 
of 


each Tc cycle by 82284 synchronization 
logic. This pro- 


vides a system ClK cycle time to resolve its value before 
broadcasting 
it to the bus master and bus controller. 
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(SEE NOTE 3.) 


NOTES: 
1. S1'il5YEN is active low 
2. II SRDYEN is high, the state 01SRDY will not effect READY 
3. ARDYEN is active low 


ARDY or ARDYEN 
must 
be HIGH at the end of Ts. 


ARDY 
cannot 
be used 
to terminate 
bus cycle 
with 


no wait states. 


Each 
ready 
input 
of the 
82284 
has 
an enable 
pin 


(SRDYEN 
and ARDYEN) 
to select whether the current 


bus operation 
will be terminated 
by the synchronous 
or 


asynchronous 
ready. Either of the ready inputs may ter- 


minate a bus operation. 
These enable inputs are active 


low and have the same timing as their respective 
ready 


inputs. Address 
decode 
logic usually selects 
whether 


the current bus operation should be terminated by ARD'i' 
orSROY. 


Data Bus Control 


Figures 26, 27, and 28 show how the DT/R, DEN, data 
bus, and address signals operate for different combina- 
tions of read, write, and idle bus operations. 
DT/R goes 


active (LOW) for a read operaton. 
DT/R remains HIGH 


before, during, and between write operations. 


The data bus is driven with write data during the second 
phase of Ts. The delay in write data timing allows the 
read data drivers, from a previous 
read cycle, sufficient 
time to enter 3-state OFF before the 80286 CPU begins 
driving the local data bus for write operations. 
Write data 


will always remain valid for one system clock past the 
last Tc to provide sufficient hold time for Multibus or other 
similar memory or I/O systems. During write-read or write- 
idle sequences 
the data bus enters 3-state OFF during 


the second 
phase of the processor 
cycle after the last 


Tc. In a write-write 
sequence the data bus does not enter 


3-state OFF between Tc and Ts. 


Bus Usage 


The 80286 local bus may be used for several functions: 
instruction 
data transfers, 
data transfers 
by other bus 


masters, instruction 
fetching, 
processor 
extension data 


transfers, interrupt acknowledge, and halt/shutdown. This 
section describes local bus activities which have special 
signals or requirements. 
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HOLD and HLDA 


HOLD and HLDA allow another bus master to gain con- 
trol of the local bus by placing the 80286 bus into the Th 
state. The sequence 
of events required to pass control 


between 
the 80286 and another 
local bus master are 


shown in Figure 29. 


In this example, 
the 80286 is initially in the Th state as 


signaled by HLDA being active. Upon leaving Th, as sig- 
naled by HLDA going inactive, a write operation is started. 
During the write operation 
another local bus master re- 


quests the local bus from the 80286 as shown by the 
HOLD signal. After completing 
the write operation, 
the 


80286 performs one Tj bus cycle, to guarantee write data 
hold time, then enters Th as signaled 
by HLDA going 


active. 


The CMDLY signal and ARDY ready are used to start 
and stop the write bus command, 
respectively. 
Note that 


SRO'Y must be inactive or disabled by SRDYEN to guar- 
antee ARDY will terminate 
the cycle. 


Instruction Fetching 


The 80286 Bus Unit (BU) will fetch instructions 
ahead of 


the current 
instruction 
being executed. 
This activity 
is 


called prefetching. 
It occurs when the local bus would 


otherwise 
be idle and obeys the following rules: 


A prefetch bus operation starts when at least two bytes 
of the 6-byte prefetch queue are empty. 


The prefetcher 
normally performs word prefetches 
in- 


dependent 
of the byte alignment 
of the code segment 


base in physical memory. 


The prefetcher 
will perform only a byte code fetch op- 


eration for control transfers to an instruction beginning 
on a numerically 
odd physical address. 


Prefetching 
stops whenever 
a control transfer or HLT 


instruction 
is decoded 
by the IU and placed into the 


instruction 
queue. 


In real address 
mode, 
the prefetcher 
may fetch 
up 
to 6 bytes 
beyond 
the last control 
transfer 
or HL T 
instruction 
in a code segment. 


In protected 
mode, the prefetcher 
will never cause a 


segment 
overrun 
exception. 
The prefetcher 
stops at 


the last physical 
memory word of the code segment. 


Exception 
13 will occur if the program attempts to ex- 


ecute 
beyond 
the 
last full 
instruction 
in the 
code 


segment. 


If the last byte of a code segment appears on an even 
physical memory address, the prefetcher will read the 
next physical 
byte of memory 
(perform 
a word code 


fetch). The value of this byte is ignored 
and any at- 


tempt to execute it causes exception 
13. 
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NOTES: 
1. Status IInas are not driven by 80286, yet remain high due to pullup resistors In 82288 and 82289 during HOLD state. 


2. Address, M/iO and COD/INTA may start floating during any TC depending on when Internal 80286 bus arbiter decides to release bus to 


external HOLD. The float starts In 4>2of TC. 


3. SHE and LOCK may start floating after the end of any TC depending on when Internal 80286 bus arbiter decides to release bus to external 
HOLD. The float starts In 4>1of TC. 


4. The minimum HOLD 
to HLDA 
time is shown. Maximum Is one TH longer. 


5. The earliest HOLD 
lime Is shown. It will always allow a subsequent memory cycle if pending is shown. 


6. The minimum HOLD 
to HLDA 
lime is shown. Maximum is a funcllon of the instruction, type of bus cycle and other machine status (i.e., 


Interrupts, Walts, Lock, etc.) 


7. Asynchronous ready allows termination of the cycle. Synchronous ready does not signal ready in this example. Synchronous ready state 
is ignored after ready Is signaled via the asynchronous input. 


The processor 
extension 
interface 
uses 
I/O port ad- 


dresses 00F8(H), OOFA(H), and OOFC(H) which are part 
of the I/O port address range reserved by Intel. An ESC 
instruction 
with EM = 0 and TS = 0 will perform I/O bus 


operations 
to one or more of these I/O port addresses 


independent 
of the value of 10PL and CPL. 


ESC instructions 
with memory 
references 
enable the 


CPU to accept 
PEREa 
inputs for processor 
extension 


operand transfers. 
The CPU will determine the operand 


starting address and read/write status of the instruction. 
For each operand transfer, two or three bus operations 
are performed, 
one word transfer with I/O port address 


OOFA(H) and one or two bus operations 
with memory. 


Three bus operations 
are required for each word oper- 


and aligned on an odd byte address. 


Interrupt Acknowledge Sequence 


Figure 
30 
illustrates 
an 
interrupt 
acknowledge 
se- 
quence performed 
by the 80286 in response to an INTR 


input. An interrupt 
acknowledge 
sequence 
consists 
of 


two INTA bus operations. The first allows a master 8259A 
Programmable 
Interrupt 
Controller 
(PIC) to determine 


which if any of its slaves should return the interrupt vec- 
tor. An eight bit vector is read by the 80286 during the 
second 
INTA bus operation 
to select an interrupt 
han- 


dier routine from the interrupt table. 


The Master Cascade 
Enable (MCE) signal of the 82288 


is used to enable the cascade 
address drivers, during 


INTA bus operations 
(See Figure 30), onto the local ad- 


dress bus for distribution 
to slave interrupt controllers via 


the system 
address 
bus. The 80286 
emits the rncK 


signal (active LOW) during Ts of the first INTA bus oper- 
ation. A local bus "hold" request will not be honored until 
the end of the second INTA bus operation. 


Three idle processor 
clocks are provided by the 80286 


between 
INTA bus operations 
to allow for the minimum 


INTA to INTA time and CAS (cascade address) out delay 
of the 8259A. The second 
INTA bus operation 
must al· 


ways have at least one extra Testate 
added via logic 


controlling READY. A23-Ao are in 3-state OFF until after 
the first Testate 
of the second INTA bus operation. 
This 


prevents bus contention 
between the cascade address 


drivers and CPU address drivers. The extra Tc state al- 
lows time for the 80286 to resume driving the address 
lines for subsequent 
bus operations. 


The 80286 local bus is shared among several internal 
units and external 
HOLD requests. 
In case of simulta- 
neous requests, their relative priorities are: 


(Highest) 
Any transfers 
which assert rncK either ex· 


plicitly 
(via the LOCK instruction 
prefix) or 


implicitly 
(I.e. segment 
descriptor 
access, 


interrupt 
acknowledge 
sequence, 
or an 


XCHG with memory). 


The second of the two byte bus operations 
required for an odd aligned word operand. 


The second 
or third 
cycle 
of a processor 


extension 
data transfer. 


Local bus request via HOLD input. 


Processor 
extension 
data operand transfer 


via PEREa 
input. 


Data transfer performed 
by EU as part of an 


instruction. 


(Lowest) 
An instruction prefetch request from BU. The 
EU will 
inhibit 
prefetching 
two 
processor 


clocks 
in advance 
of any data transfers 
to 


minimize waiting by EU for a prefetch to finish. 


Halt or Shutdown Cycles 


The 80286 externally 
indicates halt or shutdown 
condi- 


tions as a bus operation. 
These conditions 
occur due to 


a HLT instruction 
or multiple protection 
exceptions 
while 


attempting 
to execute 
one instruction. 
A halt or shut- 


down bus operation 
is signalled when ST, SO and COD/ 


Tf'JTAare LOW and M/TO is HIGH. A1 HIGH indicates 
halt, and A1 LOW indicates 
shutdown. 
The 82288 bus 


controller does not issue ALE, nor is READY required to 
terminate 
a halt or shutdown bus operation. 


During halt or shutdown, the 80286 may service PEREa 
or HOLD 
requests. 
A processor 
extension 
segment 


overrun 
exception 
during 
shutdown 
will inhibit further 


service 
of PEREa. 
Either NMI or RESET will force the 


80286 out of either halt or shutdown. 
An INTR, if inter- 


rupts are enabled, 
or a processor 
extension 
segment 


overrun exception will also force the 80286 out of halt. 
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NOTES: 
,. 
Data is ignored. 


2. FirstlNTA cycle should have at least one wait state inserted to meet 8259A minimum INTA pulse width. 


3. Second INTA cycle must have at least one wait state inserted since the CPU will not drive A23 - Ao. BRE. and LOCK until after the first 
TCstate. 


The CPU imposed one/clock delay prevents bus CQntentionbetween cascade address buffer being disabled by MCE + and address 
outputs. 


Without the wait state. the 80286 address will not be valid for a memory cycle started immediately after the second INTA cycle. The 
8259A also requires one wait state for minimum INTA pulse width. 


4. LOCK is active for the firstlNTA cycle to prevent the 82289 from releasing the bus between INTA cycles in a multi-master system. 


5. A23 - Aoexits 3-state OFF during cf>2of the second Tc in the INTA cycle. 
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The versatile 
bus structure 
of the iAPX 286 microsys- 
tem, with a full complement 
of support chips, allows flex- 


ible configuration 
of a wide range of systems. The basic 


configuration, 
shown in Figure 31, is similar to an iAPX 


86 maximum 
mode system. It includes the CPU plus an 


8259A 
interrupt 
controller, 
82284 clock generator, 
and 


the 82288 
Bus Controller. 
The iAPX 86 latches (8282 


and 8283) and transceivers 
(8286 and 8287) may be 


used in an iAPX 286 microsystem. 


As indicated by the dashed lines in Figure 31, the ability 
to add processor extensions is an integral feature of iAPX 
286 microsystems. 
The processor 
extension 
interface 


allows external 
hardware 
to perform 
special functions 


and transfer data concurrent with CPU execution of other 
instructions. 
Full system integrity is maintained 
because 


the 80286 supervises 
all data transfers 
and instruction 


execution for the processor 
extension. 


The 
iAPX 
286/20 
numeric 
data processor 
which 
in- 
cludes the 80287 numeric 
processor 
extension 
(NPX) 


uses this interface. 
The iAPX 286/20 has all'the instruc- 
tions and data types of an iAPX 86/20 or iAPX 88/20. 
The 80287 NPX can perform 
numeric calculations 
and 


data transfers 
concurrently 
with CPU program 
execu- 


tion. Numerics code and data have the same integrity as 
all other information 
protected 
by the iAPX 286 protec- 
tion mechanism. 


The 80286 can overlap 
chip select 
decoding 
and ad· 


dress propagation 
during the data transfer for the pre- 


vious bus operation. 
This information 
is latched into the 
8282/3's 
by ALE during the middle of a Ts cycle. The 
latched 
chip select 
and address 
information 
remains 


stable during the bus operation 
while the next cycles 


address is being decoded 
and propagated 
into the sys- 


tem. Decode logic can be implemented with a high speed 
bipolar PROM. 


The optional decode logic shown in Figure 31 takes ad- 
vantage of the overlap between address and data of the 
80286 bus cycle to generate advanced 
memory and 10- 


select 
signals. 
This 
minimizes 
system 
performance 
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I 
EXTENSION 
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I 
(OPTIONAL) 
I ~ 


) 


MUlTI.US 


BUS 
ARBITRATION 


MEMORY 
READ 


MEMORY 
WRITE 


IDREAD 


1'0 WRITE 


INTERRUPT 
ACKNOWLEDGE 


degradation 
caused 
by address 
propogation 
and de- 


code delays. 
In addition 
to selecting 
memory 
and 110, 


the advanced 
selects 
may be used with configurations 


supporting 
local and system buses to enable the appro- 


priate bus interface 
for each bus cycle. The COD/lfJ1'A 


and MilO signals are applied to the decode logic to dis- 
tinguish between interrupt, 110, code and data bus cycles. 


By adding the 82289 bus arbiter chip the 80286 provides 
a Multibus system bus interface 
as shown in Figure 32. 


The ALE output of the 82288 for the Multibus 
bus is 


connected 
to its CMDlY 
input to delay the start of com- 


mands one system 
ClK 
as required 
to meet Multibus 


address 
and write data setup times. This arrangement 


will add at least one extra Tc state to each bus operation 
which uses the Multibus. 


A second 
82288 
bus controller 
and additional 
latches 


and transceivers 
could be added to the local bus of Fig- 


ure 32. This configuration 
allows the 80286 to support 


an on-board 
bus for local memory and peripherals, 
and 


the Multibus for system bus interfacing. 


MUL TIBUS 
SELECT 


XACK 


MULTIBUS 
COMMAND 


(MROC, 
MWTCI 


Figure 33 shows 
the addition 
of dual ported dynamic 


memory between the Multibus system bus and the iAPX 
286 local bus. The dual port interface is provided by the 
8207 Dual Port DRAM Controller. 
The 8207 runs syn- 


chronously 
with the CPU to maximize throughput 
for lo- 


cal 
memory 
references. 
It also 
arbitrates 
between 


requests from the local and system buses and performs 


functions such as refresh, initialization of RAM, and read! 
modify/write 
cycles. The 8207 combined 
with the 8206 


Error Checking 
and Correction 
memory 
controller 
pro- 


vide 
for single 
bit error 
correction. 
The 
dual-ported 


memory can be combined 
with a standard Multibus sys- 


tem bus interface to maximize performance 
and protec- 


tion in multiprocessor 
system configurations. 


PACKAGE 


The 80286 is packaged 
in a 68-pin, 
leadless 
JEDEC 


type A hermetic 
leadless 
chip carrier. 
Figure 34 illus- 


trates the package, 
and Figure 2 shows 
the pinout. 


.050 
(1.27) 
rl= 
F 


·09. 
(2.39) 


.066 
(1.66) 


I 
(O~::)l 
L_ 
n 
D 


.960 


(2'.36) 


~PIN 
NO 1 MARK 


•NOTICE: 
Stresses 
above those listed under 
"Absolute 
Max- 


imum Ratings ,. may cause permanent 
damage 
to the device. 


This is a stress 
rating 
only and functional 
operation 
of the de- 


vice at these or any other conditions 
above 
those indicated 
in 


the operational 
sections 
of this specification 
is not implied. 


Exposure 
to absolute 
maximum 
rating 
conditions 
for 
ex- 


tended 
periods 
may affect device 
reliability. 


Ambient 
Temperature 
Under Bias 
O°C to 70°C 


Storage 
Temperature. 
. . . . . . . . . . . . 
- 65°C to + 150°C 


Voltage on Any Pin with 


RespecttoGround 
....•........... 
-1.0to 
+7V 


Power Dissipation 
3.6 Watt 


Symbol 
Parameter 
Min. 
Max. 
Units 
Test Conditions 


Vil 
Input Low Voltage 
-0.5 
+0.8 
V 


VIH 
Input High Voltage 
; 
2.0 
Vee+0.5 
V 


VOL 
Output 
Low Voltage 
0.45 
V 
IOl=3.0mA 


VOH 
Output 
High Voltage 
2.4 
V 
IOH= 
-400 
•.•.A 


Ice 
Power Supply Current 
~ 
600 
mA 
TA=25°C 


III 
Input Leakage 
Current 
:!:10 
flA 
OV"'VIN",Vee 


ILO 
Output 
Leakage 
Current 
:!:10 
flA 
0.45V'" 
Your 
'" Vee 


Vel 
Clock 
Input High Voltagp 
-0.5 
+0.6 
V 


VeH 
Clock Input High Voltage 
3.8 
Vee+1.O 
V 


CIN 
Capacitance 
of Inputs 
10 
pF 
fc=1 
MHz 
(All input except CLK) 


Co 
Capacitance 
of I/O or outputs 
20 
pF 
fc=1 
MHz 


CelK 
Capacitance 
of CLK Input 
12 
pF 
fc= 1 MHz 


Symbol 
Parameter 
Min. 
Max. 
Units 
Test Conditions 


1 
System 
clock period 
62.5 
250 
ns 


2 
System 
clock low time 
15 
230 
ns 
at.6Volts 


3 
System 
clock high time 
20 
235 
ns 
at 3.2 Volts 


4 
Asynchronous 
input setup time 
20 
ns 
See note 1 


5 
Asynchronous 
input hold time 
20 
ns 
See note 1 


6 
RESET 
setup time 
20 
ns 


7 
RESET 
hold time 
0 
ns 


8 
Read data in setup time 
10 
ns 


9 
Read data in hold time 
L 
5 
ns 


10 
READY 
setup time 
38.5 
ns 


11 
READY 
hold time 
25 
ns 


12 
STATUS/PEACK 
valid delay 
0 
40 
ns 


13 
Address 
valid delay 
0 
60 
ns 


14 
Write data valid delay 
0 
50 
ns 
CL = 100 pF max 
above 
self load 
15 
Address/Status/Data 
float delay 
0 
60 
ns 


16 
HLDA valid delay 
0 
60 
ns 


Symbol 
Parameter 
Min. 
Max. 
Units 
Test Conditions 


17 
SRDY/SRDYEN 
setup time 
15 
ns 


18 
SRDY/SRDYEN 
hold time 
0 
ns 


19 
ARDY/ARDYEN 
setup time 
. 
0 
ns 
See note 1 


20 
ARDY/ARDYEN 
hold time 
16 
ns 
See note 1. 


CL = 50 pF 


21 
PCLKdeiay 
0 
40 
ns 
IOL = ~ ml:\ 
IOH = -1 
ma 


Symbol 
Parameter 
Min. 
Max. 
Units 
Test Conditions 


22 
CMDLY setup time 
20 
ns 


23 
CMDL Y hold time 
0 
ns 


CL = 300 pF max 
24 
Command 
delay 
3 
15 
ns 
IOL = 32 ma max 
IOH = -5 
ma max 


25 
ALE active delay 
3 
15 
ns 


26 
ALE inactive 
delay 
0 
20 
ns 


27 
DT/R read active delay 
0 
20 
ns 


28 
DT/R read inactive 
delay 
10 
40 
ns 
CL = 80 pF max 


29 
DEN read active delay 
10 
50 
ns 
IOL = 16 ma max 


30 
DEN read inactive 
delay 
3 
15 
IOH = -1 
ma max 


ns 


31 
DEN write active delay 
0 
30 
ns 


32 
DEN write inactive 
delay 
3 
30 
ns 


~.SRDYER 


: 
"""'.JJlIlVEI< 
~ 


PCLK 


ALE 


CMDLY 


!IWTC 


m 


!llllll: 


orA 


DEN 


INTR,NMI 
HOLO,PEREQ 
(SEE NOTE 2.) 


NOTES: 
1. PCLK indicates which processor cycle phase will occur on the 


next CLK. PCLK may not indicate the correct phase until the first 
bus cycle is performed. 
2. These inputs are asynchronous. The setup and hold times shown 


assure recognition for testing purposes. 


NOTE 1: When RESET meets the setup time shown, the next CLK 


will start or repeat <1>2 of a processor cycle. 


BHE,LOCK 


A23 
~:~ 
~s.:~~~.:.!.. 


COOIINTA 


(SEE NOTE 6.) 
0 
15 


- 
DO 
_ 


I 


~[ 


NOTES: 
1. These signals may not be driven by the 80286 during the time shown. The worst case in terms of latest float time is shown. 
2. The data bus will be driven as shown if the last cycie before T, in the diagram was a write TC' 
3. The 80286 fioats its status pins during TH' External pUllup resistors (in 82288) keep these signals high. 
4. For HOLD request set up to HLDA, refer to Figure 29. 
5. SHE and LOCK are driven at this time but will not become valid until Ts. 
6. The data bus will remain in 3-state OFF if a read cycle is performed. 


WAVEFORMS (Continued) 


80286 PEREQ/PEACK TIMING FOR ONE TRANSFER ONLY 


A2J 
- 
Ao 
MIO 
cooiN'fA 


NOTES: 
1. PEACK always goes active during the first bus operation of a processor extension data operand transfer sequence. The first bus operation 
will be either a memory read at operand address or 1/0 read at port address OOFA(H). 


2. To prevent a second processor extension data operand transfer, the worst case maximum time (Shown above) is: 3XCD-@m.,. 


-@)m;n.· The actual, configuration dependent, maximum time is: 3X CD -@max.-@)m;n. 
+ A X 2 xCD· 


A is the number of extra Tc states added to either the first or second bus operation of the processor extension data operand transfer 
sequence. 


M/iO 


COD/INTA 


NOTES: 


1. 
Setup time for RESET t may be violated with the consideration that c/>1 of the processor clock may begin one system ClK period later. 
2. Setup and hold times for RESET ~ must be met for proper operation. 
3. The data bus is only guaranteed to be in 3-state OFF at the time shown. 


-------~-------~-------~-------~ 


LOW DlSP/DATA 
: 
HIGH DlSP/DATA: 
LOW DATA 
: 
HIGH DATA 
: 
_______ 
~ 
4 
• 
~ 


REGISTER OPERAND/REGISTERS 
TO USE IN OFFSET CALCULATION 


REGISTER OPERAND/EXTENSION 
OF OPCODE 
REGISTER MODE/MEMORY MODE WITH DISPLACEMENT LENGTH 


WORD/BYTE OPERATION 
DIRECTION IS TO REGISTER/DIRECTION 
IS FROM REGISTER 


OPERATION (INSTRUCTION) CODE 


-------~-------~ 
I 
I 
LOW DISP 
I 
HIGH DlSP 
I 
------- 
..•._------~ 


80286 INSTRUCTION SET SUMMARY 
Instruction Timing Notes 


The instruction 
clock counts listed below establish 
the 


maximum 
execution rate of the 80286. With no delays in 


bus cycles, the actual clock count of an 80286 program 
will average 
5% more than the calculated 
clock count, 
due to instruction 
sequences 
which execute faster than 


they can be fetched from memory. 


To calculate 
elapsed 
times for instruction 
sequences, 
multiply the sum of all instruction 
clock counts, as listed 


in the table below, by the processor 
clock period. An 8 


MHz processor clock has a clock period of 125 nanosec- 
onds and requires an 80286 system clock (CLK input) of 
16MHz. 


Instruction Clock Count Assumptions 


1. The instruction 
has been prefetched, 
decoded, 
and 


is ready for execution. Control transfer instruction clock 
counts include all time required to fetch, decode, and 
prepare the next instruction for execution. 


2. Bus cycles do not require wait states. 


3. There 
are no processor 
extension 
data transfer 
or 


local bus HOLD requests. 


4. No exceptions 
occur during instruction 
execution. 


Instruction Set Summary Notes 


Addressing 
displacements 
selected 
by the MOD field 
are not shown. 
If necessary 
they appear 
after the in- 
struction fields shown. 


Above/below 
refers to unsigned value 


Greater refers to positive signed value 


Less refers to less positive (more negative) signed values 


if d = 1 then to register; if d = 0 then from register 


if w = 1 then 
word 
instruction; 
if w 
= 0 then 
byte 
instruction 


if s = 0 then 16-bit immediate 
data form the operand 


if s = 1 then an immediate 
data byte is sign-extended 
to form the 16-bit operand 


x 
don't care 


z 
used for string primitives 
for comparison 
with ZF 
FLAG 


If two clock counts are given, the smaller refers to a reg- 
ister operand and the larger refers to a memory operand 


* 
= add one clock if offset calculation 
requires 
sum- 
ming 3 elements 


n = number of times repeated 


m = number of bytes of code in next instruction 


Level (L)-Lexical 
nesting level of the procedure 


The following 
comments 
describe 
possible exceptions, 
side effects, 
and allowed usage for instructions 
in both 


operating 
modes of the 80286. 


REAL ADDRESS 
MODE ONLY 


1. This is a protected 
mode instruction. 
Attempted 
ex- 


ecution in real address mode will result in an unde- 
fined opcode exception 
(6). 


2. A segment overrun exception (13) will occur if a word 


operand reference 
at offset FFFF(H) is attempted. 


3. This instruction 
may be executed 
in real address 


mode to initialize the CPU for protected 
mode. 


4. The IOPL and NT fields will remain O. 


5. Processor 
extension 
segment overrun interrupt (9) 


will occur if the operand exceeds the segment limit. 


EITHER 
MODE 


6. An exception 
may occur, depending 
on the value of 


the operand. 


7. [OCR 
is automatically 
asserted 
regardless 
of the 


presence or absence of the LOCK instruction prefix. 


8. LOCK does not remain active between 
all operand 


transfers. 


9. A general protection 
exception 
(13) will occur if the 


memory 
operand 
can not be used due to either a 


segment 
limit or access 
rights violation. 
If a stack 


segment 
limit is violated, 
a stack segment overrun 


exception 
(12) occurs. 


10. 
For segment 
load operations, 
the CPL, RPL, and 


OPL must agree with privilege rules to avoid an ex- 
ception. 
The segment 
must be present 
to avoid a 


not-present 
exception 
(11). If the SS register is the 
destination, 
and a segment 
not-present 
violation 


occurs, a stack exception 
(12) occurs. 


11. All segment descriptor 
accesses 
in the GOT or LOT 


made by this instruction 
will automatically 
assert 


[OCR 
to maintain 
descriptor 
integrity 
in multipro- 


cessor systems. 


12. JMP, CALL, INT, RET, IRET instructions 
referring to 


another code segment will cause a general protec- 
tion exception 
(13) if any privilege rule is violated. 


13. A general 
protection 
exception 
(13) occurs if CPL 
io O. 


14. A 
general 
protection 
exception 
(13) 
occurs 
if 


CPL> 
IOPL. 


15. The 
IF field 
of the 
flag 
word 
is not updated 
if 


CPL 
> 
IOPL. 
The 
IOPL field 
is updated 
only 
if 


CPL = O. 


16. Any violation of priVilege rules as applied to the se- 


lector operand do not cause a protection exception; 
rather, the instruction 
does not return a result and 


the zero flag is cleared. 


17. 
If the starting address of the memory operand vio- 
lates a segment 
limit, or an invalid 
access 
is at- 


tempted, 
a general 
protection 
exception 
(13) will 


occur before the ESC instruction is executed. A stack 
segment overrun exception (12) will occur if the stack 
limit is violated by the operand's 
starting address. If 


a segment limit is violated during an attempted data 
transfer then a processor 
extension 
segment over- 


run exception 
(9) occurs. 


18. The destination 
of an INT, JMP, 
CALL, 
RET or 


IRET instruction 
must 
be in the defined 
limit of 


a code segment 
or a general 
protection 
excep- 


tion (13) will occur. 


-- 
'''',U''''' ",uunl 
",UlnnU.I"IV 


Real 
Protected 
Real 
Pflllected 


FUNCTION 
FORMAT 
Address 
Vlrtuel 
Address 
Vlrtuel 


Mode 
Address 
Mode 
Address 


Mode 
Mode 


DATATRANSFER 
MOV; 
Move: 
Registerto Register/Memory 
11 000100w 
mod reg 
rim 
2,3" 
2,3' 
2 
9 


Registerlmemoryto register 
11 000101w 
mod reg 
rim 
2,5' 
2,5' 
2 
g 


Immediateto registerlmemory 
11 1 0001 
1 w 
modOOO 
rim 
data 
I 
dataifw-l 
I 
2,3' 
2,3' 
2 
9 


Immediateto register 
11 01 
1 w 
reg 
data 
dataifw-l 
I 
2 
2 


Memory to accumulator 
11 010000w 
addr-Iow 
addr-high 
I 
5 
5 
2 
9 


Accumulatorto memory 
11 010001w 
addr-Iow 
addr-high 
I 
3 
3 
2 
9 


Registerlmemoryto segment register 
11 00 
0 1 1 1 0 
mod 0 reg 
rim 
2,5' 
17,19' 
2 
9,10,11 


Segmentregisterto register/memory 
11 0001100 
mod0 reg 
rim 
2,3' 
2,3' 
2 
9 


PUSH; 
Push: 
Memory 
11 1111111 
I 
mod 110 
rim I 
5' 
5' 
2 
9 


Register 
10 1 0 1 0 
reg I 
3 
3 
2 
9 


Segmentregister 
10 00 
reg 1 1 0 I 
3 
3 
2 
9 


Immediate 
1011010soi 
data 
I 
dataijs-O 
I 
3' 
3 
I 
~ 


.- 
, 


-iiUSllA •• PuShAll _ 
onOOOOO! 
17 
11 
Z 
3 


POp; 
Pop: 


Memory 
11 00 
0 1 1 1 11 
mod 0 00 
rim I 
5' 
5' 
2 
9 


Register 
10 1 0 1 1 
reg I 
5 
5 
2 
g 


Segmentregister 
10 00 
reg 1 1 1 I 
(regHl) 
5 
20 
2 
9,10,11 


, 


"'POPA •• f'!lp_AII 
10 1 1 0 000 
1 I 
19 
19 
2 
~ 


XCHG; 
Exchange: 
Register/memorywith register 
11 000011wl 
mod reg 
rim I 
3,5' 
3,5' 
2,7 
7,9 


Register 
with accumulator 
11 00 
1 0 
reg I 
3 
3 


IN; Inputlfllm: 
. 


Fixedport 
11 1 1 00 
lOw 
I 
port 
I 
5 
5 
14 


variable port 
11 1 1 0 1 lOw 
I 
5 
5 
14 


OUT; 
Outpulto: 
Fixedport 
11 1 1 00 
1 1 w 
port 
I 
3 
3 
14 


variable port 
11 11 
0 1 1 1 w 
3 
3 
14 


XLAT~ Translatebyteto AL 
11 1 0 1 0 1 1 1 
5 
5 
9 


LEA~ LoadEAto register 
11 00 
0 1 1 0 1 
mod reg 
rim I 
3' 
3' 


LOS~ Loadpointer to OS 
11 1 0 0 0 1 0 1 
mod reg 
rim I 
(mod" 
11) 
7' 
21' 
2 
9,10,11 


LES= Loadpointer to ES 
11 1 0 0 0 1 0 0 
mod reg 
rim I 
(mod" 
11) 
7' 
21' 
2 
9,10,11 


LAHF; LoadAHwith flags 
11 o 0 1 1 1 1 1 
2 
2 


SAHF~ Store AH into flags 
11 00 
1 1 1 1 0 
2 
2 


PUSHF~ Pushflags 
11 00 
1 1 1 0 0 
3 
3 
2 
9 


POPF= Popflags 
11 00 
1 1 1 0 1 
5 
5 
2,4 
9,15 


CLOCK COUNT 
COMMENTS 


Real 
Protected 
Rell 
Protected 


FUNCTION 
FORMAT 
Address 
Virtual 
Address 
Virtual 


Mode 
Address 
Mode 
Address 
.' .' 
Mode 
Mode 


ARITHMETIC 
ADD = Add: 
Reglmemorywith registerto either 
10 00 
0 0 0 d w I 
modreg 
rim 
I 
2,r 
2,7' 
2 
9 


Immediateto registerlmemory 
11 00000 
s wi 
mod0'0 0 
rim I 
data 
I 
dataif s w- 01 I 
3,r 
3,r 
2 
9 


Immediateto accumulator 
10000010wl 
data 
I 
datailw-l 
I 
3 
3 


ADC = Addwilli carry: 
Reg/memorywith registerto either 
10 00 
1 0 0 d wi 
mod reg 
rim I 
2,r 
2,r 
2 
9 


Immediateto registerlmemory 
11 00000 
s wi 
mod010 
rim I 
data 
I 
datailsw-Ol 
I 
3,r 
3,r 
2 
9 


Imme<1iateto accumulator 
10 00 
1 0 lOw 
I 
data 
I 
datailw-l 
I 
3 
3 


INC = Increment: 
Registerlmemory 
11 111111 
wi 
modOOO 
rim I 
2,r 
2,7" 
2 
9 


Register 
10 1 0 0 0 
reg I 
2 
2 


SU8 = Subtract: 
Reglmemoryandregisterto either 
1001010dwi 
modreg 
rim 
I 
2,7' 
2,r 
2 
9 


ImmediateIrom registerlmemory 
1100000swl 
mod 101 
rim I 
data 
I 
datailsw-Ol 
I 
3,r 
3,7" 
2 
9 


Immediatefrom accumulator 
10010110wl 
data 
I 
datailw-l 
I 
3 
3 


S88 = Subtractwilli borraw: 
Reglmemoryandregisterto either 
1000110dwi 
mod reg 
rim I 
2,r 
2,7' 
2 
9 


Immediatetrom registerlmemory 
1100000swl 
modOll 
rim I 
data 
I 
dataifsw-Ol 
I 
3,r 
3,7" 
2 
9 


Immediatefrom accumulator 
10 00 
1 1 lOw 
I 
data 
I 
datailw-l 
I 
3 
3 


DEC= Decrement: 
Registerlmemory 
11 111111 
w I 
mod00 1 
rim I 
2,r 
2,7' 
2 
9 


Register 
10 1 0 0 1 
reg I 
2 
2 


CMP= Compare: 
Registerlmemorywith register 
10 01 
1 1 01 
w I 
modreg 
rim I 
2,6' 
2,6' 
2 
9 


Registerwith registerlmemory 
10011100wl 
modreg 
rim 
I 
2,7' 
2,r 
2 
9 


Immediatewith registerlmemory 
1,00000sw 
mod 111 
rim I 
data 
I 
datailsw-Ol 
I 
3,6' 
3,6' 
2 
9 


Immediatewith accumulator 
10 01 
1 1 lOw 
data 
I 
datailw-1 
I 
3 
3 


NEG= Changesign 
11 11 
1 011 
w 
modOl1 
rim I 
2 
r 
2 
7 


AM ~ ASCIIadjustlor add 
10 0 1 1 0 1 1 1 
3 
3 


DAA= Decimaladjustfor add 
10 0 1 0 0 1 1 1 
3 
3 
W - ASCIIadjustfor subtract 
10 0 1 1 1 1 1 1 
3 
3 


" 


DAS= Decimaladjustfor subtract 
10 0 1 0 1 1 1 1 
3 
3 


MUL~ Mu~iply (unsigned): 
11 11 
1011 
w 
mod 100 
rim I 


Register-Byte 
13 
13 
Register-Word 
21 
21 


Memory-Byte 
16' 
16' 
2 
9 
Memory-Word 
24' 
24' 
2 
9 


IMUL= IntegermUltiply(signed): 
11 1 1 1 01 
1 wi 
mod 101 
rim I 


Register-Byte 
13 
13 
Register-Word 
21 
21 
Memory-Byte 
16' 
16' 
2 
9 
Memory-Word 
24' 
24' 
2 
9 
, 


21,24-"' 21.24'- 
lMUI.~l~rl 
10 1 1 0 1 0 s 1 I 
modrllll 
rim I 
data 
I 
dataijs=O 
I 
2 
9 
~Sioned) 
- 


DIV= Divide(unsigned): 
11 11 
1 011 
w I 
mod 11 0 rim 
1 


Register-Byte 
14 
14 
6 
6 
Register-Word 
22 
22 
6 
6 
Memory-Byte 
lr 
1r 
2,6 
6,9 
Memory-Word 
25' 
25' 
2,6 
6,9 


CLOCK COUNT 
COMMENTS 


Real 
Protected 
Real 
Protected 


FUNCTION 
FORMAT 
Address 
Virtual 
Address 
Virtual 


Mode 
Address 
Mode 
Address 


Mode 
Mode 


ARITHMETIC (Conllnued): 


lolV ~ Integer divide (signed): 
11 
1 1 1 0 1 1 wi 
mod 111 
rim 
I 


Regisler·Byte 
17 
17 
6 
6 


Register·Word 
25 
25 
6 
6 


Memory·Byte 
20' 
20' 
2,6 
6,9 


Memory·Word 
2B' 
28' 
2,6 
6,9 


AAM ~ ASCII adjustfor 
multiply 
11 10101001000010101 
16 
16 


AAo = ASCII adjusl for divide 
11 101ll-1011000010101 
14 
14 
. 
,'. 


11 00110001 
- 
caw = Convert byte to word 
2 
2 


CWO = Convert word to double word 
11 00 
1 1 0 0 
1 I 
2 
2 


lOGIC 
ShiltlRotate 
Inmuetlonl: 


Register/Memory 
by 1 
11 
101000wl 
mod 
m 
rim 
I 
2,7' 
2,7" 
2 
9 


Register/Memory 
by CL 
11 
1 0 1 001 
wi 
mod 
m 
rim 
I 
5+n,8"n· 
5+n,8+n' 
2 
9 


ReglSterlMemory 
by Count 
Jl 
100000wl 
mod 
mr/m 
I 
count 
I 
5+'.8+., 
5+0,8+.' 
2 
9 - 


m 
Instruction 


000 
ROL 


o 0 1 
ROR 
- 


o 1 0 
RCL 


o 1 1 
RCR 
1 0 0 
SHUSAL 
1 0 1 
SHR 
111 
SAR 


ANo=And: 


Reglmemory 
and register to either 
1001000dwl 
mod reg 
rim I 
2,7' 
2,7' 
2 
9 


Immediate 
10 registerlmemory 
11000000wl 
mod 1 00 
rim I 
dala 
I 
dataifw=1 
I 
3,7" 
3,7' 
2 
9 


Immediate 
to accumulator 
10010010wl 
data 
I 
dataifw-I 
I 
3 
3 


TEST = And lunctlon 
to lIegs, 
no resull: 


Register/memory 
and register 
11 
000010wl 
mod reg 
rim 
I 
2,6' 
2.6' 
2 
9 


Immediate 
data and register/memory 
11 
11 
1 01 
1 wi 
modOOO 
rim 
I 
data 
I 
data ifw-l 
I 
3.6' 
3.6' 
2 
9 


Immediate data and accumulator 
11 010100wl 
data 
I 
dataifw-l 
I 
3 
3 


OR = Or: 


Reglmemory 
and register to either 
JOOO010dwi 
mod reg 
rim I 
2.7' 
2,7' 
2 
9 


Immediate to register/memory 
11000000wl 
modOOl 
rim 
I 
data 
I 
dataifw-l 
I 
3,7' 
3,7' 
2 
9 


Immediate to accumulator 
10000110wl 
data 
I 
dataifw-l 
I 
3 
3 


XoR = Exclus've 
or: 


Reg/memory 
and register to either 
1001100dwi 
mod reg 
rim 
I 
2,7' 
2,7' 
2 
9 


Immediate to register/memory 
11000000wl 
mod 11 0 
rim I 
data 
I 
dataifw~1 
I 
3,7' 
3,7' 
2 
9 


Immediate to accumulator 
10011010wl 
data 
I 
dataifw-l 
I 
3 
3 


NOT -Invert 
register/memory 
II 
11 
1 011 
wi 
modOl0 
rim I 
2,7' 
2,7' 
2 
9 


STRING MANIPULATION: 


MOYS ~ Move byteIWord 
11 
010010w 
5 
5 
2 
9 


CMPS - Compare bytelword 
11 01 
00 
1 1 w 
8 
8 
2 
9 


SCAS = Scan byte/word 
11 0101 
11 
w 
7 
7 
2 
9 


looS 
= Load bytelwd to AUAX 
11 01 
0 1 lOw 
5 
5 
2 
9 


SToS = Stor byte/wd from AUA 
11 
01 
0 1 01 
w 


- 


3 
3 
2 
9 


INS ~ Input byterwd from OX port 
10 
11 
01 
lOw 
5 
5 
2 
9,14 


OUTS = Output byterwd to OX port 
10 
1101 
11 
w 
r-i 
5 
2 
9,14 


CLOCK COUNT 
COMMENTS 


Rill 
Protected 
Rill 
PTOtected 


FUNCTION 
FORMAT 
Addreu 
Vlrtuel 
Addreu 
Vlrtuel 


Mode 
Addreu 
Mode 
Addreu 


Mode 
Mode 


CONTROLTRANSFER (Continued): 


JEtJZ =JumponequalJzero 
10 1 1 1 0 1 0 0 
disp 
I 
7+mor3 
7+mor3 
18 


JLlJNGE = Jumpon~noIgreat~orequai 
10 1 1 1 1 1 0 0 
disp 
7+mor3 
7+mor3 
18 


JLEtJNG = JumponOssorequallnotgrealer 
10 1 1 1 1 1 1 0 
disp 
7+mor3 
7+mor3 
18 


JB/JNAE = Jumponbelow/notab"",orequal 
10 1 1 1 0 0 1 0 
disp 
7+mor3 
7+mor3 
18 


JBEtJNA = JumponbeWworequaVnot 
ab"", 
10 1 1 1 0 1 1 0 
disp 
7+mor3 
7+mor3 
18 


JP/JPE = Jumponparitylparity 
"" 
10 1 1 1 1 0 1 0 
disp 
7+mor3 
7+mor3 
18 


JO = JUIllllon"",riow 
10 1 1 1 0 0 0 0 
disp 
7+mor3 
7+mor3 
18 


JS=Jumponsign 
10 11 
1 1 00 
0 
disp 
7+mor3 
7+mor3 
18 


JNEtJNZ = JumponnoIequal111ot 
zero 
10 11 
1 0 1 0 1 
disp 
7+mor3 
7+mor3 
18 


JNLlJGE = Jumponnot~greaterorequal 
10 11 
1 1 1 0 1 
disp 
7+mor3 
7+mor3 
18 


JNLEtJG = JumponnotOssorequallgrealer 
10 11 
1111 
1 
disp 
7+mor3 
7+mor3 
18 


JNB/JAE = JumponnotbeWw/ab"", 
orequal 
10 11 
1 0 0 1 1 
disp 
7+mor3 
7+mor3 
18 


JNBEtJA = JumponnotbeloworequalJab"", 
10 1 1 1 0 1 1 1 I 
disp 
7+mor3 
7+mor3 
18 


JNP/JPO = Jumponnotparlparorld 
10 11 
1 1 0 1 1 
disp 
7+mor3 
7+mor3 
18 


JNO = Jumponnot"",riow 
10 1 1 1 0 0 0 1 
disp 
7+mor3 
7+mor3 
18 


JNS=JumponnotSlOn 
10 1 1 1 1 00 
1 
disp 
7+mor3 
7+mor3 
18 


LOOP= loopex times 
11 1 1 0 0 0 1 0 
disp 
I 
8+mor4 
8+mor4 
( 
18 


LOOPZlLOOPE= loopwIli.zero/equal 
11 1 1 0 0 00 
1 
disp 
I 
8+mor4 
8+mor4 
18 


LOOPNZlLOOPNE= loopwIli. notzero/equal11 1100000 
disp 
I 
8+mor4 
8+mor4 
18 


JCXZ = Jumponex zero 
11 1 1 0 0 0 1 1 
disp 
I 
8+mor4 
8+mor4 
18 


EIlTEll = Enter Procedure 
11 10010001 
data·low 
1 
data-high 
I 
I 


w 
""',,""",,<, 


L 
U 
8,9 
L~O 
11 
11 
2,8- 
if,lI 
L~l 
15 
15 
" 2,8 
ii, 
3;1I 
L>1 
.+~-11 
"+~-I) 
2,8 
~ 
LiAVE = Leave Procedure 
11 10010011 


INT= Interrupt: 
Typespecified 
11 1 0 0 1 1 0 1 I 
type 
I 
23+m 
2,7,8 


Type3 
11 1 0 0 1 1 0 0 I 
23+m 
2,7,8 


INTO= Interrupt on overflow 
11 1 0 0 1 1 1 0 I 
24+mor3 
2,6,8 


(31no 
(31no 


Protected Mode Only: 
"'~rupt) 
intlrTuotl 


Via interrupt 
or trap gate to same privilege 
level 
40+m 
7,8,11,12,18 
Via interrupt or trap gate to lit different privilege level 
78+m 
7,8,11,12,18 
Via TaskGate 
161+m 
7,8,11,12,18 


IRET= Interrupt return 
11 
1 0 0 1 1 1 tI 
17+m 
31 +m 
2,4 
8,9,11,12,15,18 


Protected Mode Only: 
Todifferent privilege level 
5S+m 
8,9,11,12,15,18 
To different task (NT= 1) 
169+m 
8,9,11,12,18 


BOUIID = Detect value out of range 
1011000101 
mod reg 
rim I 
13' 
13' 
2,6 
',f,tft,1ut 


I 


(\lSllIITdolk., 


eapliolISl 


intel~ 
iAPX 286/10 
&[Q)W&~©~ O~IP@!Rl~&'iJ'O@~ 


80286 INSTRUCTION 
SET SUMMARY (Continued) 


CLOCK COUNT 
COMMENTS 


Real 
Protected 
Real 
Protected 


FUNCTION 
FORMAT 
Addreu 
Virtual 
Addreu 
Virtual 


Mode 
Address 
Mode 
Address 


Mode 
Mode 


PROCESSOR CONTROL 
CLC= Clear carry 
11 1 1 1 1 0 0 0 I 
2 


CMC= Complement carry 
11 1 1 1 01 
0 1( 
2 


STC~ Set carry 
11 1 1 1 1 00 
1/ 
2 


CLO= Clear direction 
11 1 1 1 1 1 0 0 
2 


STO = Set direction 
11 1 1 1 1 1 0 1 
2 


Cli ~ Clear interrupt 
11 1 1 1 1 0 1 0 
3 
14 
sn = Set interrupt 
11 1 1 1 1 01 
1 
2 
14 


HLT=Halt 
11 1 1 1 0 1 0 0 
2 
13 


WAIT~Wait 
11 00 
1 1 0 1 1 
3 


LOCK~ Bus lock prefix 
11 1 1 1 0 0 0 0 
0 
14 


CTS= Clear task SWItchedflag 
10 0001 
11 
1 
000001101 
2 
3 
13 


ESC~ Processor Extension Escape 
11 1 0 1 1 T T T 
mod LLL rim 
I 
9-20' 
9-20' 
5,8 
8,17 
(m LLLare opcode to processor extension) 


SEG - Segment 
Override 
Prefix 
1001 reg 110 


PROTECTIONCONTROL 
l&DT= looIgiOOlId!stnp!crQb!erlllSfer 
10 0 0 0 1 1 1 1 I 0 0 0 0 0 0 0 11 
modOl0 
rim 
". 
". 
2,3 
9,1'3 


SDDT=Sfor1g1obid!stnp!crQb!erlllSfer 
10 0001 
1 1 11000000011 
modOOO rim 
11' 
II' 
2,3 
9 


lIDT=looI~~Qb!er_ 
10 0001 
1 1 1Ioooooooq 
modOl1 
rim 
12' 
12' 
2,3 
9,\3 


S1DT=SIDr.iIIlmlpId!stnp!crQb!ertglS!lr 
10 0001 
1 1 11000000011 
modOOl 
rim 
12' 
12' 
2,3 
9 
LLDT=looIlocaIdastnptortabIeJeglSllr 


10 000 
1 1 1 1 
000000001 
9,11,13 
fronlrllislarmemort 
modOl0 
rim 
17,19' 


SLOT=StorelocaldostnptorQb!eJeglslar 
10 000 
1 1 1 
000 
0 000 
01 
modOOO tlm 
torigislarlmemort 
2,3' 


LTR=lOldtasl<r_ 
10 0001 
11 
00 
0 0 0 0 0 01 
fronlrlllSfer,1lllmOfY 
1 
modOl1 
rim 
17,19' 
9,1U3 
STR=Stll!tIlSl<JeglSlIr 
10 0001 
1 1 1 
o 0 0 0 0 0 0 01 
toJllislarf!lllllQfY 
modOOl 
rim 
2,3' 
9 
lM$W=lOlll_stIIiswonl 
10 000 
1 1 1 1 
oooooooq 
fromTlliSllO_1)' 
modll0 
rim 
3,6' 
3,S' 
2,3 
9,13 
SMSW=Sfor1_stIIiswonl 
10 0001 
1 1 1 
oooooooq 
modl00 
rim 
2,3' 
2,3' 
2,3 
9 
lAR~lOllllCQ!S$rIil"s 
10 000 
1 1 1 
000000101 
!romrlllSferlmemort 
modreg 
rim 
14,16' 
9,1MB 
LSL= lOldsagmantUlnit 
10 000 
1 1 1 1 
000000111 
fronlr~slar!l1lllnll1)' 
modreg 
rim 
14,16' 
ARPL= Ad!ustraquestldp.leveI· 


011000111 
fromJeglSllrImemort 
modreg 
rim 
10',11' 
8,9 


VERR=\\lrifyflllllCQ!S$JeglSlIr;1l'OI1lOI'flio 
00 
0 1 1 1 
000000001 
mod 1 00 
rim 
14,16' 
9,11,16 


VERR="",~ 
ms> 
10 000 
1 1 1 
000000001 
modl01 
rim 
14,16' 
B,ttl6 


Shaded areas indicate instructions 
not available in iAPX 86, 88 microsystems. 


The effective 
Address 
(EA) of the memory 
operand 
is 


computed 
according 
to the mod and rim fields: 


if mod = 11 then rim is treated as a REG field 


if mod = 00 then OISP = 0·, disp-Iow and disp-high 


are absent 


if mod = 01 then OISP = disp-Iow sign-extended 
to 


16-bits, disp-high 
is absent 


if mod = 10 then OISP = disp-high: 
disp-Iow 


if rim = 000 then EA = (BX) + (SI) + OISP 


if rim = 001 then EA = (BX) + (01) + OISP 


if rim = 010then 
EA = (BP) + (SI) + OISP 


if rim = 011 then EA = (BP) + (01) + OISP 


if rim = 100 then EA = (SI) + OISP 


if rim = 101 then EA = (01) + OISP 


if rim = 110 then EA = (BP) + OISp· 


if rim = 111 then EA = (BX) + OISP 


OISP follows 2nd byte of instruction 
(before data if 


required) 


SEGMENT OVERRIDE PREFIX 


10 0 1 reg 
1 1 01 


reg is assigned according 
to the following: 


Segment 
reg 
Register 


00 
ES 
01 
CS 


10 
SS 


11 
OS 


REG is assigned according 
to the following table: 


16-Blt (w = 1) 
8·Blt (w = 0) 


000 
AX 
000 
AL 


001 
CX 
001 
CL 


010 
OX 
010 
OL 


011 
BX 
011 
BL 


100 
SP 
100 AH 


101 
BP 
101 CH 


110 
SI 
110 
DH 


111 
01 
111 
BH 


The physical 
addresses 
of all operands 
addressed 
by 
the BP register 
are computed 
using the SS segment 
register. The physical addresses 
of the destination 
op- 


erands 
of the 
string 
primitive 
operations 
(those 
ad- 


dressed 
by the 01 register) are computed 
using the ES 


segment, which may not be overridden. 


Appendix 
D 
iAPX 86/88 Software 
Cempatibility Considerations 


List of Minor Differences 
Between 
iAPX 86 and iAPX 286 (Real Mode) 
..... 
D-1 


APPENDIX D 


iAPX 86/88 
SOFTWARE COMPATIBILITY 
CONSIDERATIONS 


In general, 
the real address 
mode iAPX 
286 
will 
correctly 
execute 
ROM-based 
iAPX 
86/88 
software. 
The following 
is a list of the 
minor differences 
between iAPX 86 and iAPX 
286 (Real mode). 


I. 
Add Six Interrupt 
Vectors. 


The iAPX 286 adds six interrupts 
which 
arise only if the iAPX 86/88 
program 
has 
a hidden bug. These interrupts 
occur only 
for instructions 
which were undefined 
on 
the 
8086/8088 
or if a segment 
wrapa- 


round 
is attempted. 
It is recommended 
that you add an interrupt 
handler 
to the 
iAPX 86/88 
software that is to be run on 
the 
iAPX 
286, 
which 
will treat 
these 
interrupts 
as invalid operations. 


This additional 
software 
does not signifi- 
cantly 
effect 
the 
existing 
iAPX 
86/88 
software 
because 
the 
interrupts 
do not 
normally 
occur 
and 
should 
not 
already 
have 
been 
used 
since 
they 
are 
in the 
interrupt 
group 
reserved 
by 
Intel. 


Table 
D-l 
describes 
the new iAPX 
286 
interrupts. 


2. 
Do not Rely on iAPX 
86/88 
Instruction 
Clock Counts. 


The 
iAPX 
286 
takes 
fewer 
clocks 
for 
most instructions 
than 
the iAPX 
86/88. 
The areas to look into are delays between 
I/O 
operations, 
and 
assumed 
delays 
in 
iAPX 86/88 
operating 
in parallel with an 
8087. 


3. 
Divide 
Exceptions 
Point 
at 
the 
DIV 
Instruction. 


Any 
interrupt 
on the 
iAPX 
286 
will 
always 
leave 
the 
saved 
CS:IP 
value 
pointing 
at the instruction 
which 
failed. 
On 
the 
iAPX 
86/88, 
the 
CS:IP 
value 


Interrupt 
Number 


A 
BOUND 
instruction 
was 


executed with a register 
value 


outside the two limit values. 


An 
undefined 
opcode 
was 


encountered. 


The EM bit in the MSW has been 
set and an ESC instruction was 
executed. This interrupt will also 
occur on WAIT instructions if TS 
is set. 


The interrupt 
table 
limit 
was 


changed by the L1DT instruction 
to a value between 20H and 42H. 
The default 
limit after reset is 


3FFH, enough for all 256 inter- 
rupts. 


A 
processor 
extension 
data 


transfer exceeded offset OFFFFH 
in a segment. 
This 
interrupt 


handler must execute 
FNINIT 


before any ESC or WAIT instruc- 
tion is executed. 


Segment 
wraparound 
was 


attempted by a word operation at 
offset 
OFFFFH. 
A push 
with 


SP=1 
during PUSH, CALL, or 


INT will also cause this. 


saved for a divide exception 
points at the 


next instruction. 


4. 
Use 
Interrupt 
16 for 
Numeric 
Excep- 
tions. 


Any 
iAPX 
286/20 
system 
must 
use 
interrupt 
vector 
16 for the numeric 
error 
interrupt. 
If an iAPX 
86/20 
or iAPX 
88/20 
system uses another 
vector for the 


8087 interrupt, 
both vectors should point 
at the numeric 
error interrupt 
handler. 


5. 
Numeric 
Exception 
Handlers 
Should 


allow Prefixes. 


The saved CS:IP 
value 
in the NPX 


environment save area will point at any 
leading prefixes before an ESC instruc- 
tion. On iAPX 86/88 systems, this value 
points only at the ESC instruction. 


6. 
Do Not Attempt Undefined iAPX 86/88 
Operations. 


iAPX 86/88 instructions like POP CS or 
MOY CS,op will either cause exception 
6 (undefined 
opcode) 
or perform 
a 


protection setup operation like LIDT on 
the iAPX 286. Undefined bit encodings 
for bits 5-3 of the second byte of POP 
MEM or PUSH MEM will cause excep- 
tion 13 on the iAPX 286. 


7. 
Place a Far JMP Instruction at FFFFOH. 


After reset, CS:IP = FOOO:FFFOon the 
iAPX 286. This change was made to 
allow sufficient 
code space 
to enter 


protected mode without reloading CS. 
Placing 
a 
far 
JMP 
instruction 
at 


FFFFOH will avoid this difference. Note 
that the BOOTSTRAP option of LOC86 
will automatically 
generate 
this jump 


instruction. 


8. 
Do not Rely on the Yalue Written by 
PUSH SP. 


The iAPX 286 will push a different value 
on the stack for PUSH SP than the iAPX 
86/88. If the value pushed is important, 
replace PUSH SP instructions with the 
following three instructions: 


PUSH 
BP 


MOY 
BP,SP 


XCHG 
BP,[BP] 


This code functions as the iAPX 86/88 
PUSH SP instruction on the iAPX 286. 


9. 
Do not Shift or Rotate by More than 31 
Bits. 


The iAPX 286 masks all shift/rotate 
counts to the low 5 bits. This MOD 32 
operation limits the count to a maximum 
of 31 bits. With this change, the longest 
shift/rotate 
instruction 
is 39 clocks. 


Without this change, the longest shift/ 
rotate instruction would be 264 clocks, 
which delays interrupt response until the 
instruction completes execution. 


10. Do not Duplicate Prefixes. 


The iAPX 286 sets an instruction length 
limit of 10 bytes. The only way to violate 
this limit is by duplicating a prefix two 
or more times before 
an instruction. 


Exception 
6 occurs if the instruction 


length limit is violated. The iAPX 86 or 
88 has no instruction length limit. 


11. Do not Rely on Odd iAPX 86/88 LOCK 


Characteristics. 


The LOCK prefix and its corresponding 
output 
signal should only be used to 


prevent other bus masters 
from inter- 


rupting a data movement operation. The 
iAPX 286 will always 
assert 
LOCK 


during 
an 
XCHG 
instruction 
with 


memory (even if the LOCK prefix was 
not used). LOCK should only be used 
with the XCHG, 
MOY, MOYS, INS, 


and OUTS instructions. 


The iAPX 286 LOCK signal will not go 
active during an instruction prefetch. 


12. Do not Single Step External 
Interrupt 


Handlers. 


The priority of the iAPX 286 single step 
interrupt 
is different from that of the 


iAPX 86/88. This change was made to 
prevent an external interrupt from being 
single-stepped if it occurs while single 
stepping through a program. The iAPX 
286 single step interrupt 
has higher 


priority than any external interrupt. 


The iAPX 
286 will still 
single 
step 
through an interrupt handler invoked by 
INT 
instructions 
or 
an 
instruction 
exception. 


13. Do not Rely on IDlY 
Exceptions 
for 
Quotients of 80H or 8000H. 


The iAPX 286 can generate the largest 
negative number as a quotient for IDlY 
instructions. The iAPX 86 will instead 
cause exception O. 


14. Do not Rely on NMI Interrupting 
NMI 
Handlers. 


After an NMI is recognized, the NMI 
input and processor extension limit error 
interrupt is masked until the first IRET 
instruction is executed. 


15. The NPX 
error 
signal 
does not pass 
through 
an 
interrupt 
controller 
(an 
8087 INT signal does). Any interrupt 
controller-oriented 
instructions 
for the 
iAPX 86/20 may have to be deleted. 


Numeric Supplement 


This supplement describes the 80287 Numeric Processor Extension (NPX) for the iAPX 286 micro- 
processor. Below is a brief overview of iAPX 286 concepts, along with some of the nomenclature used 
throughout this and other Intel publications. 


The iAPX 286 is a new VLSI microprocessor system with exceptional capabilities for supporting large- 
system applications. Based on a new-generation CPU (the Intel 80286), this powerful microsystem is 
designed to support multiuser reprogrammable and real-time multitasking applications. Its dedicated 
system support circuits simplify system hardware; sophisticated hardware and software tools reduce 
both the time and the cost of product development. 


The iAPX 286 is a virtual-memory microprocessor with on-chip memory management and protection. 
The iAPX 286 microsystem offers a total-solution approach, enabling you to develop high-speed, inter- 
active, multiuser, multitasking-and 
multiprocessor-systems 
more rapidly and at higher performance 
than ever before. 


• 
Reliability and system up-time are becoming increasingly important in all applications. Information 
must be protected from misuse or accidental loss. The iAPX 286 includes a sophisticated and flexi- 
ble four-level protection mechanism that isolates layers of operating system programs from appli- 
cation programs to maintain a high degree of system integrity. 


• 
The iAPX 286 provides 16 megabytes of physical address space to support today's application 
requirements. This large physical memory enables the iAPX 286 to keep many large programs and 
data structures simultaneously in memory for high-speed access. 


• 
For applications with dynamically changing memory requirements, such as multiuser business 
systems, the iAPX 286 CPU provides on-chip memory management and virtual memory support. 
On an iAPX 286-based system, each user can have up to a gigabyte (230 bytes) of virtual-address 
space. This large address space virtually eliminates restrictions on the number or size of programs 
that may be part of the system. 


• 
Large multiuser or real-time multitasking systems are easily supported by the iAPX 286. High- 
performance features, such as a very high-speed task switch, fast interrupt-response time, inter-task 
protection, and a quick and direct operating system interface, make the iAPX 286 highly suited to 
multiuser jmultitasking applications. 


• 
The iAPX 286 has two operating modes: Real-Address mode and Protected-Address mode. In Real- 
Address mode, the iAPX 286 is fully compatible with the iAPX 86, iAPX 88, iAPX 186, and iAPX 
188 microprocessors; all of the extensive libraries of iAPX 86 and iAPX 88 software execute four 
to six times faster on the iAPX 286, without any modification. 


• 
In Protected-Address mode, the advanced memory management and protection features of the iAPX 
286 become available, without any reduction in performance. Upgrading iAPX 86 and iAPX 88 
application programs to use these new memory management and protection features usually requires 
only reassembly or recompilation (some programs may require minor modification). This compati- 
bility between iAPX 286 and iAPX 86 processor families reduces both the time and the cost of 
software development. 


Over the last several years, the increase in microcomputer system and software complexity has given 
birth to a new family of microprocessor products oriented towards solving these increasingly complex 
problems. These new generations of microprocessors are both powerful and flexible, and include many 
processor enhancements, such as numeric (floating-point) extensions, I/0 
processors, and operating- 


system functionality in silicon. 


As Intel's product line has grown and evolved, its microprocessor product numbering system has evolved 
into a comprehensive numbering scheme, while still including the basis of previous 8086 nomenclature. 


Intel has adopted the following prefixes to provide differentiation and consistency among its Micro- 
system 80-related product lines: 


iAPX-Processor 
Series 


iRMX-Operating 
Systems 


iSBC-Single-Board 
Computers 


iSBX-MULTIMODULE 
Boards 


iAPX 86-8086 
CPU family 


iAPX 88-8088 
CPU family 


iAPX 186-80186 
CPU family 


iAPX 286-80286 
CPU family 


Each processor family consists of the CPU (e.g., 80286), processor extensions (80287 for the iAPX 
286), and bus support circuits, such as the 82284 Clock Generator and 82288 Bus Controller. With 
additional suffix information, configuration options for particular iAPX systems can be identified, such 
as the inclusion of Numeric Processor Extensions and I/0 
Processors. For the iAPX 286 family: 


iAPX 286/IG--indicates 
80286 CPU alone 


iAPX 286/2G--indicates 
80286 CPU + 80287 NPX 


This nomenclature is intended as an addition to Intel's regular part-numbering scheme. The series-level 
nomenclature describes the functional capabilities provided by specific configurations of the iAPX 
processor families. The hardware used to implement each functional configuration is still described by 
referring to the parts involved (as is the case for most of the 80287 information described in this 
supplement). 


This improved nomenclature provides a more meaningful view of system capability and performance 
within the evolving Microsystem 80 architecture. 


This supplement describes the 80287 Numeric Processor Extension (NPX) for the iAPX 286 micro- 
processor. The material in this supplement is presented from the perspective of software designers, 
both at an applications and at a'systems software level. 


• 
Chapter One, "Overview of Numeric Processing," gives an overview of the 80287 NPX and reviews 
the concepts of numeric computation using the 80287. 


• 
Chapter Two, "Programming Numeric Applications," provides detailed information for software 
designers generating applications for iAPX 286/20 systems (systems containing an 80286 CPU with 


inter 


an 80287 NPX). The iAPX 286/20 instruction set mnemonics are explained in detail, along with a 
description of programming facilities for iAPX 286/20 systems. A comparative iAPX 286/20 
programming example is given. 


• 
Chapter Three, "System-Level Numeric Programming," provides information of interest to systems 
software writers, including details of the iAPX 286/20 architecture and operational characteristics. 


• 
Chapter Four, "Numeric Programming Examples," provides several detailed programming examples 
for the iAPX 286/20, including conditional branching, the conversion between floating-point values 
and their ASCII representations, and the calculation of several trigonometric functions. These 
examples illustrate assembly-language programming on the 80287 NPX. 


• 
Appendix A, "Machine Instruction Encoding and Decoding," gives reference information on the 
encoding of NPX instructions. 


• 
Appendix B, "Compatability 
between the 80287 NPX and the 8087," describes the differences 
between the 80287 and the 8087. 


• 
Appendix C, "Implementing the IEEE P754 Standard," gives details of the IEEE P754 Standard. 


• 
Appendix D, "80287 80-Bit HMOS Numeric Processor Extension," provides hardware details of 
the 80287 and the iAPX 286/20. 


• 
The Glossary defines 80287 and floating-point terminology. Refer to it as needed. 


To best use the material in this supplement, readers should be familiar with the operation and archi- 
tecture of iAPX 286 systems. The following manuals contain information related to the content of this 
supplement and of interest to programmers of iAPX 286/20 systems: 


• 
Introduction to the iAPX 286, order number 210308 


• 
iAPX 286 Programmer's Reference Manual, order number 210498 
• 
ASM286 Assembly Language Reference Manual, order number 121924 


• 
iAPX 286 Operating System Writer's Guide, order number 121960 


• 
iAPX 286 Hardware Reference Manual, order number 210760 


• 
Microprocessor and Peripheral Handbook, order number 210844 


• 
PL/M-286 User's Guide, order number 121945 


• 
80287 Support Library Reference Manual, order number 122129 


• 
8086 Software Toolbox Manual, order number 122203 (includes information about 80287 Emulator 
Software) 
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CHAPTER 
1 
OVERVIEW 
OF NUMERIC 
PROCESSING 


The 80287 NPX is a high-performance numerics processing element that extends the iAPX 286/10 
architecture by adding significant numeric capabilities and direct support for floating-point, extended- 
integer, and BCD data types. The iAPX 286/20 computing system (80286 CPU with 80287 NPX) 
easily supports powerful and accurate numeric applications through its implementation of the proposed 
IEEE 754 Standard for Binary Floating-Point Arithmetic. 


The 80287 Numeric Processor Extension (NPX) is highly compatible with its predecessor, the earlier 
Intel 8087 NPX. 


The 8087 NPX was designed for use in iAPX 86-family systems. The iAPX 86 was the first micro- 
processor family to partition the processing unit to permit high-performance numeric capabilities. The 
8087 NPX for this processor family implemented a complete numeric processing environment in 
compliance with the proposed IEEE 754 Floating-Point Standard. 


With the 80287 Numeric Processor Extension, high-speed numeric computations have been extended 
to iAPX 286 high-performance multi-tasking and multi-user systems. Multiple tasks using the numeric 
processor extension are afforded the full protection of the iAPX 286 memory management and protec- 
tion features. 


Figure I-I illustrates the relative performance of 8-MHz iAPX 86/20 and iAPX 286/20 systems in 
executing numerics-oriented applications. 


DOUBLE·PRECISION 
WHETSTONE 
PERFORMANCE 


(KOPS) 
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IAPX 288/20 
) 


.--....../ 
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Table 
1-1 compares 
the execution 
times of several 
80287 instructions 
with the equivalent 
operations 
executed 
in software 
on an 8-MHz 
80286. 
The software 
equivalents 
are highly-optimized 
assembly- 


language 
procedures 
from the 80287 
emulator. 
As indicated 
in the table, 
the 80287 
NPX 
provides 
about 
50 to 100 times the performance 
of software 
numeric 
routines 
on the 80286 CPU. 
An 8-MHz 
80287 multiplies 
32-bit and 64-bit real numbers 
in about 
11.9 and 16.9 microseconds, 
respectively. 
Of 
course, 
the actual 
performance 
of the NPX 
in a given system 
depends 
on the characteristics 
of the 
individual 
application. 


Although 
the performance 
figures shown in table 1-1 refer to operations 
on real (floating-point) 
numbers, 
the 80287 also manipulates 
fixed-point 
binary and decimal 
integers 
of up to 64 bits or 18 digits, respec- 


tively. The 80287 can improve 
the speed of multiple-precision 
software 
algorithms 
for integer 
opera- 


tions by 10 to 100 times. 


Because 
the 80287 NPX is an extension 
of the 80286 CPU, no software 
overhead 
is incurred 
in setting 
up the NPX 
for computation. 
The 80287 and 80286 processors 
coordinate 
their activities 
in a manner 


transparent 
to software. 
Moreover, 
built-in coordination 
facilities 
allow the 80286 CPU to proceed 
with 


other 
instructions 
while the 80287 NPX 
is simultaneously 
executing 
numeric 
instructions. 
Programs 


can exploit this concurrency 
of execution 
to further 
increase 
system performance 
and throughput. 


The 
80287 
NPX 
offers 
more than 
raw execution 
speed 
for computation-intensive 
tasks. 
The 
80287 
brings the functionality 
and power of accurate 
numeric 
computation 
into the hands of the general 
user. 


Like the 8087 NPX that preceded 
it, the 80287 is explicitly 
designed 
to deliver stable, accurate 
results 
when 
programmed 
using 
straightforward 
"pencil 
and 
paper" 
algorithms. 
The IEEE 754 standard 


specifically 
addresses 
this issue, recognizing 
the fundamental 
importance 
of making 
numeric 
compu- 


tations 
both easy and safe to use. 


For example, 
most computers 
can overflow when two single-precision 
floating-point 
numbers 
are multi- 
plied together 
and then divided 
by a third, 
even if the final result 
is a perfectly 
valid 32-bit number. 
The 80287 delivers the correctly 
rounded 
result. Other 
typical examples 
of undesirable 
machine 
behav- 


ior in straightforward 
calculations 
occur when solving for the roots of a quadratic 
equation: 
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Approximate Performance Ratios: 
8 MHz iAPX 286/20 
to 
8 MHz Protected Mode iAPX using E80287 
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or computing financial rate of return, which involves the expression: (1 +i)n. On most machines, 
straightforward algorithms will not deliver consistently correct results (and will not indicate when they 
are incorrect). To obtain correct results on traditional machines under all conditions usually requires 
sophisticated 
numerical 
techniques 
that are. foreign to most programmers. 
General application 
programmers using straightforward algorithms will produce much more reliable programs using the 
80287. This simple fact greatly reduces the software investment required to develop safe, accurate 
computation-based products. 


Beyond traditional numerics support for scientific applications, the 80287 has built-in facilities for 
commercial computing. It can process decimal numbers of up to 18 digits without round-off errors, 
performing exact arithmetic on integers as large as 264 or 1018• Exact arithmetic is vital in accounting 
applications where rounding errors may introduce monetary losses that cannot be reconciled. 


The NPX contains a number of optional facilities that can be invoked by sophisticated users. These 
advanced features include two models of infinity, directed rounding, gradual underflow, and either 
automatic or programmed exception-handling facilities. 


These automatic exception-handling facilities permit a high degree of flexibility in numeric processing 
software, without burdening the programmer. 
While performing numeric calculations, the NPX 
automatically detects exception conditions that can potentially damage a calculation. By default, on- 
chip exception handlers may be invoked to field these exceptions so that a reasonable result is produced, 
and execution may proceed without program interruption. Alternatively, the NPX can signal the CPU, 
invoking a software exception handler whenever various types of exceptions are detected. 


The NPX's versatility and performance make it appropriate to a broad array of numeric applications. 
In general, applications that exhibit any of the following characteristics can benefit by implementing 
numeric processing on the 80287: 


Numeric data vary over a wide range of values, or include nonintegral values. 


Algorithms produce very large or very small intermediate results. 


Computations must be very precise; i.e., a large number of significant digits must be maintained. 
Performance requirements exceed the capacity of traditional microprocessors. 


Consistently safe, reliable results must be delivered using a programming staff that is not expert in 
numerical techniques. 


Note also that the 80287 can reduce software development costs and improve the performance of 
systems that use not only real numbers, but operate on multiprecision binary or decimal integer values 
as well. 


A few examples, which show how the 80287 might be used in specific numerics applications, are 
described below. In many cases, these types of systems have been implemented in the past with 
minicomputers. The advent of the 80287 brings the size and cost savings of microprocessor technology 
to these applications for the first time. 


Business data processing-The 
NPX's ability to accept decimal operands and produce exact decimal 
results of up to 18 digits greatly simplifies accounting programming. Financial calculations that use 
power functions can take advantage of the 80287's exponentiation and logarithmic instructions. 


• 
Process control-The 
80287 solves dynamic range problems automatically, and its extended preci- 


sion allows control functions to be fine-tuned for more accurate and efficient performance. Control 
algorithms implemented with the NPX also contribute to improved reliability and safety, while the 
80287's speed can be exploited in real-time operations. 


• 
Computer numerical control (CNC)-The 
80287 can move and position machine tool heads with 


accuracy in real-time. Axis positioning also benefits from the hardware trigonometric support provided 
by the 80287. 


• 
Robotics-Coupling 
small size and modest power requirements with powerful computational abili- 


ties, the NPX is ideal for on-board six-axis positioning. 


• 
Navigation-Very 
small, lightweight, and accurate inertial guidance systems can be implemented 


with the 80287. Its built-in trigonometric functions can speed and simplify the calculation of position 
from bearing data. 


• 
Graphics terminals-The 
80287 can be used in graphics terminals to locally perform many functions 


that normally demand the attention of a main computer; these include rotation, scaling, and inter- 
polation. By also using an 82720 Graphics Display Controller to perform high speed data transfers, 
very powerful and highly self-sufficient terminals can be built from a relatively small number of 
80286 family parts. 


• 
Data acquisition-The 
80287 can be used to scan, scale, and reduce large quantities of data as it is 


collected, thereby lowering storage requirements and time required to process the data for analysis. 


The preceding examples are oriented toward traditional numerics applications. There are, in addition, 
many other types of systems that do not appear to the end user as computational, but can employ the 
80287 to advantage. Indeed, the 80287 presents the imaginative system designer with an opportunity 
similar to that created by the introduction of the microprocessor itself. Many applications can be viewed 
as numerically-based if sufficient computational power is available to support this view. This is analo- 
gous to the thousands of successful products that have been built around "buried" microprocessors, 
even though the products themselves bear little resemblance to computers. 


The architecture 
of the iAPX 286/10 
CPU is specifically adapted 
to allow easy upgradability 


to an iAPX 286/20 system, simply by plugging in the 80287 NPX. For this reason, designers of 
iAPX 286/10 systems may wish to incorporate the 80287 NPX into their designs in order to offer two 
levels of price and performance at little additional cost. 


Two features of the 80286 CPU make the design and support of upgradable iAPX 286 systems partic- 
ularly simple: 


• 
The 80286 can be programmed to recognize the presence of an 80287 NPX; that is, software can 
recognize whether it is running on an iAPX 286/10 or an iAPX 286/20 system. 


• 
After determining whether the 80287 NPX is available, the 80286 CPU can be instructed to let the 
NPX execute all numeric instructions. If an 80287 NPX is not available, the 80286 CPU can emulate 
all 80287 numeric instructions in software. This emulation is completely transparent to the appli- 
cation software-the 
same object code may be used by both iAPX 286/10 and 286/20 systems. No 


relinking or recompiling of application software is necessary; the same code will simply execute 
faster on the iAPX 286/20 than on the iAPX 286/10 system. 


To facilitate this design of upgradable iAPX 286/10 systems, Intel provides a software emulator for 
the 80287 that provides the functional equivalent of the 80287 hardware, implemented in software on 


the 80286. Except for timing, the operation of this 80287 emulator 
(E80287) is the same as 
for the 80287 NPX hardware. When the emulator is combined as part of the systems software, the 
iAPX 286/10 system with 80287 emulation and the iAPX 286/20 (with 80287 hardware) are virtually 
indistinguishable to an application program. This capability makes it easy for software developers to 
maintain a single set of programs for both iAPX 286/10 and iAPX 286/20 systems. System manufac- 
turers can offer the NPX as a simple plug-in performance option without necessitating any changes in 
the user's software. 


The iAPX 286/20 is programmed as a single processor; all of the 80287 registers appear to a program- 
mer as extensions of the basic 80286 register set. The 80286 has a class of instructions known as 
ESCAPE instructions, all having a common format. These ESC instructions are numeric instructions 
for the 80287 NPX. These numeric instructions for the 80287 are simply encoded into the instruction 
stream along with 80286 instructions. 


All of the CPU memory-addressing modes may be used in programming the NPX, allowing convenient 
access to record structures, numeric arrays, and other memory-based data structures. All of the memory 
management and protection features of the CPU are extended to the NPX as well. 


Numeric processing in the 80287 centers around the NPX register stack. Programmers can treat these 
eight 80-bit registers as either a fixed register set, with instructions operating on explicitly-designated 
registers, or a classical stack, with instructions operating on the top one or two stack elements. 


Internally, the 80287 holds all numbers in a uniform 80-bit temporary-real format. Operands that may 
be represented in memory as 16-, 32-, or 64-bit integers, 32-, 64-, or 80-bit floating-poiIi.tnumbers, or 
18-digit packed BCD numbers, are automatically converted into temporary-real format as they are 
loaded into the NPX registers. Computation results are subsequently converted back into one of these 
destination data formats when they are stored into memory from the NPX registers. 


Table 1-2 lists each of the seven data types supported by the 80287, showing the data format for each 
type. All operands are stored in memory with the least significant digits starting at the initial (lowest) 
memory address. Numeric instructions access and store memory operands using only this initial address. 
For maximum system performance, all operands should start at even memory addresses. 


Data Type 
Bits 
Significant 
Approximate 
Range (Decimal) 
Digits (Decimal) 


Word integer 
16 
4 
-32,768 
::; X ::; +32,767 


Short integer 
32 
9 
-2X109 
::; X::; 
+2X109 


Long integer 
64 
18 
-9X10'8::; 
X ::; +9X10'8 


Packed 
decimal 
80 
18 
-99 
...99 ::; X ::; +99 ...99 (18 digits) 


Short 
real 
32 
6-7 
8.43 X 10-37::; I X I::; 
3.37X 
1Q3B 


Long real 
64 
15-16 
4.19X10-307::; 
IXI::; 
1.67X10308 


Temporary 
real 
80 
19 
3.4 X 10-4932::; I X I ::; 1.2 X 104932 


- 
- 


., .- --- ---- 
80287, because all of the NPX instructions and data typ"esare directly supported by the ASM286 
Assembler and Intel's appropriate high-level languages. 


Software routines for the iAPX 286/20 may be written in ASM286 Assembler or any of the following 
higher-level languages: 


PL/M-286 
PASCAL-286 
FORTRAN-286 
C-286 


In addition, all of the development tools supporting the iAPX 86/20 (8086 and 8087) can also be used 
to develop software for the iAPX 286/20 operating in Real-Address mode. 


All of these high-level languages provide programmers with access to the computational power and 
speed of the 80287 without requiring an understanding of the architecture of the 80286 and 80287 
chips. Such architectural considerations as concurrency and data synchronization are handled automat- 
ically by these high-level languages. For the ASM286 programmer, specific rules for handling these 
issues are discussed in a later section of this supplement. 


As an extension of the iAPX 286/10 processor, the 80287 is wired very much in parallel with the 
80286 CPU. Four special status signals, PEREQ, PEACK, BUSY, and ERROR, 
permit the two 


processors to coordinate their activities. The 80287 NPX also monitors the 80286 ST, SO, COD/IN'fA, 
READY, HLDA, and CLK pins to monitor the execution of ESC instructions (numeric instructions) 
by the 80286. 


As shown in figure 1-2, the 80287 NPX is divided internally into two processing elements; the Bus 
Interface Unit (BIU) and the Numeric Execution Unit (NEU). The two units operate independently 
of one another: the BIU receives and decodes instructions, requests operand transfers with memory, 
and 
executes 
processor 
control 
instructions, 
whereas 
the 
NEU 
processes 
individual 
numeric 
instructions. 


Load (all data types). 
Store (all data types). 
Exchange 


Add. 
Subtract. 
Multiply. 
Divide. 
Subtract 
Reversed. 
Divide 


Reversed, 
Square Root, Scale. Remainder. 
Integer Part. Change 


Sign. Absolute 
Value. Extract 


Compare. 
Examine. 
Test 


Tangent. 
Arctangent. 
2x -1. 
Y.Log2(X + 1). Y.Log2(X) 
o. 1..•.. Log,02. Log.2. 
Log210. Log2e 


Load 
Control 
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The BIU handles all of the status and signal lines between the 80287 and the 80286. The NEU executes 
all instructions that involve the register stack. These instructions include arithmetic, logical, transcen- 
dental, constant, and data transfer instructions. The data path in the NEU is 84 bits wide (68 fraction 
bits, 15 exponent bits, and a sign bit), allowing internal operand transfers to be performed at very high 
speeds. 


The 80287 executes a single numeric instruction at a time. Before executing most ESC instructions, 
the 80286 tests the BUSY pin and, before initiating the command, waits until the 80287 indicates that 
it is not busy. Once initiated, the 80286 continues program execution, while the 80287 executes the 
numeric instruction. Unlike iAPX 86/20 systems, which required a WAIT instruction to test the BUSY 
signal before each ESC opcode, these WAIT instructions are permissible, but not necessary, in iAPX 
286/20 programs. 


In all cases, a WAIT or ESC instruction should be inserted after any 80287 store to memory (except 
FSTSW or FSTCW) or load from memory (except FLDENV, FLDCW, or FRSTOR) before the 80286 
reads or changes the memory value. 


When needed, all data transfers between memory and the 80287 NPX are performed by the 80286 
CPU, using its Processor Extension Data Channel. Numeric data transfers performed by the 80286 
use the same timing as any other bus cycle, and all such transfers come under the supervision of the 
iAPX 286 memory management and protection mechanisms. The 80286 Processor Extension Data 
Channel and the hardware interface between the 80286 and 80287 processors are described in Chapter 
Six of the iAPX 286 Hardware Reference Manual. 


From the programmer's perspective, the 80287 can be considered just an extension of the 80286 
processor. All interaction between the 80286 and the 80287 processors on the hardware level is handled 
automatically by the 80286 and is transparent to the software. 
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To communicate 
with the 80287, the 80286 uses the reserved 
I/O 
port addresses 
00F8H, 
OOFAH, and 


OOFCH (I/O 
ports numbered 
00F8H 
through 
OOFFH are reserved 
for the 80286/80287 
interface). 
These I/0 
operations 
are performed 
automatically 
by the 80286 and are distinct 
from I/0 
operations 


that result from program 
I/0 
instructions. 
I/O 
operations 
resulting 
from the execution 
of ESC instruc- 
tions are completely 
transparent 
to software. 
Any program 
may execute 
ESCAPE 
(numeric) 
instruc- 


tions, without 
regard 
to its current 
I/O 
Privilege 
Level (IOPL). 


To guarantee 
correct 
operation 
of the 80287, iAPX 286 programs 
must not perform 
any explicit 
I/0 


operations 
to any of the eight ports reserved 
for the 80287. The IOPL 
of the iAPX 286 can be used to 


protect 
the integrity 
of 80287 computations 
in multiuser 
reprogrammable 
applications, 
preventing 
any 
accidental 
or other tampering 
with the 80287 (see Chapter 
Eight of the iAPX 286 Operating System 


Writer's Guide). 


To the programmer, 
the 80287 NPX 
appears 
as a set of additional 
registers 
complementing 
those of 
the 80286. These additional 
registers 
consist of 


• 
Eight individually-addressable 
80-bit numeric 
registers, 
organized 
as a register 
stack 


• 
Three sixteen-bit 
registers 
containing: 
an NPX 
status 
word 


an NPX 
control word 


a tag word 


• 
Four 16-bit registers 
containing 
the NPX 
instruction 
and data pointers 


The 80287 
register 
stack 
is shown in figure 
1-3. Each 
of the eight 
numeric 
registers 
in the 80287's 
register 
stack is 80 bits wide and is divided into fields corresponding 
to the NPX's 
temporary-real 
data 
type. 


Numeric 
instructions 
address 
the data registers 
relative 
to the register 
on the top of the stack. 
At any 
point in time, 
this top-of-stack 
register 
is indicated 
by the ST (Stack 
Top) 
field in the NPX 
status 
word. Load or push operations 
decrement 
ST by one and load a value into the new top register. 
A store- 
and-pop 
operation 
stores the value from the current 
ST register 
and then increments 
ST by one. Like 
80286 stacks in memory, 
the 80287 register 
stack grows down toward 
lower-addressed 
registers. 


Many 
numeric 
instructions 
have several 
addressing 
modes 
that 
permit 
the programmer 
to implicitly 
operate 
on the top of the stack, 
or to explicitly 
operate 
on specific 
registers 
relative 
to the ST. The 
ASM286 
Assembler 
supports 
these register 
addressing 
modes, 
using the expression 
ST(O), or simply 
ST, to represent 
the current 
Stack Top and ST(i) to specify the i'th register 
from ST in the stack (0 .::5 


i .::5 7). For example, 
if ST contains 
0 II B (register 
3 is the top of the stack), 
the following statement 


would add the contents 
of the top two registers 
on the stack (registers 
3 and 5); 


The 
stack 
organization 
and 
top-relative 
addressing 
of the 
numeric 
registers 
simplify 
subroutine 
programming 
by allowing routines 
to pass parameters 
on the register 
stack. 
By using the stack to pass 
parameters 
rather 
than using "dedicated" 
registers, 
calling 
routines 
gain more flexibility 
in how they 
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use the stack. As long as the stack is not full, each routine simply loads the parameters onto the stack 
before calling a particular subroutine to perform a numeric calculation. The subroutine then addresses 
its parameters as ST, ST(I), etc., even though ST may, for example, refer to physical register 3 in one 
invocation and physical register 5 in another. 


The 16-bit status word shown in figure 1-4 reflects the overall state of the 80287. This status word may 
be stored into memory using the FSTSW /FNSTSW, 
FSTENV /FNSTENV, 
and FSAVE/FNSA VE 
instructions, and can be transferred into the 80286 AX register with the FSTSW AX/FNSTSW 
AX 
instructions, allowing the NPX status to be inspected by the CPU. 


The Busy bit (bit 15) and the BUSY pin indicate whether the 80287's execution unit is idle (B= 0) or 
is executing a numeric instruction or signalling an exception (B= 1). (The instructions FNSTSW, 
FNSTSW AX, FNSTENV, and FNSAVE do not set the Busy bit themselves, nor do they require the 
Busy bit to be clear in order to execute.) 


The four NPX condition code bits (Co-C)) are similar to the flags in a CPU: the 80287 updates these 
bits to reflect the outcome of arithmetic operations. The effect of these instructions on the condition 
code bits is summarized in table 1-4. These condition code bits are used principally for conditional 
branching. The FSTSW AX instruction stores the NPX status word directly into the CPU AX register, 
allowing these condition codes to be inspected efficiently by 80286 code. 


Bits 12-14 of the status word point to the 80287 register that is the current Stack Top (ST). The 
significance of the stack top has been described in the section on the Register Stack. 


EXCEPTION 
FLAGS 
(1 = EXCEPTION 
HAS OCCURRED) 


INVALID 
OPERATION" 


DENORMALIZED 
OPERAND" 


ZERO 
DIVIDE" 


OVERFLOW" 


UNDERFLOW" 


PRECISION" 


(RESERVED) 


ERROR SUMMARY STATUS(1) 


CONDITION CODE(2) 


STACK TOP POINTER(3) 


NEU BUSY 


(1) ES IS SET IF ANY UNMASKED 
EXCEPTION 
BIT IS SET, CLEARED OTHERWISE. 
(2) 
SEE TABLE '-4 FOR CONDITION 
CODE 
INTERPRETATION. 


(3) ST VALUES 


000 
~ 
REGISTER 0 IS TOP OF STACK 


001 
~ 
REGISTER 
liS 
TOP OF STACK 


111 ~ 
REGISTER 71S TOP OF STACK 


'FOR DEFINITIONS, 
SEE THE SECTION ON EXCEPTION 
HANDLING 


Instruction 
C. 
C. 
C, 
Co 
Interpretation 
Type 


Compare, 
Test 
0 
0 
X 
0 
ST > Source 
or 0 (FTST) 
0 
0 
X 
1 
ST < Source 
or 0 (FTST) 
1 
0 
X 
0 
ST = Source 
or 0 (FTST) 
1 
1 
X 
1 
ST is not comparable 


Remainder 
Q, 
0 
Qo 
Q2 
Complete 
reduction 
with 
three 


low 
bits 
of quotient 
in Co, C3, 


and C, 
U 
1 
U 
U 
Incomplete 
Reduction 


Examine 
0 
0 
0 
0 
Valid, positive 
unnormalized 
0 
0 
0 
1 
Invalid, 
positive, 
exponent 
= 0 


0 
0 
1 
0 
Valid, negative, 
unnormalized 
0 
0 
1 
1 
Invalid, 
negative, 
exponent 
= 0 


0 
1 
0 
0 
Valid, positive, 
normalized 
0 
1 
0 
1 
Infinity, 
positive 
0 
1 
1 
0 
Valid, negative, 
normalized 
0 
1 
1 
1 
Infinity, 
negative 
1 
0 
0 
0 
Zero, 
positive 
1 
0 
0 
1 
Empty 
Register 
1 
0 
1 
0 
Zero, negative 
1 
0 
1 
1 
Empty 
Register 
1 
1 
0 
0 
Invalid, 
positive, 
exponent 
= 0 


1 
1 
0 
1 
Empty 
Register 
1 
1 
1 
0 
Invalid, 
negative, 
exponent 
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1 
1 
1 
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Empty 
Register 


NOTES: 
1. ST = Top of stack 
2. X = value is not affected 
by instruction 
3. 
U = value is undefined 
following 
instruction 
4. Qn = Quotient 
bit n following 
complete 
reduction 
(C2=O) 
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Figure 1-4 shows the six error flags in bits 0-5 of the status word. Bit 7 is the error summary status 
(ES) bit. ES is set if any unmasked exception bits are set, and is cleared otherwise. If this bit is set, 
the ERROR signal is asserted. Bits 0-5 indicate whether the NPX has detected one of six possible 
exception conditions since these status bits were last cleared or reset. 


The NPX provides the programmer with several processing options, which are selected by loading a 
word from memory into the control word. Figure 1-5 shows the format and encoding of the fields in 
the control word. 


The low-order byte of this control word configures the 80287 error and exception masking. Bits 0-5 of 
the control word contain individual masks for each of the six exception conditions recognized by the 
80287. The high-order byte of the control word configures the 80287 processing options, including 


Precision control 


Rounding control 


Infinity control 


The Precision control bits (bits 8-9) can be used to set the 80287 internal operating precision at less 
than the default precision (64-bit significand). These control bits can be used to provide compatibility 
with the earlier-generation arithmetic processors having less precision than the 80287, as required by 
the IEEE 754 standard. Setting a lower precision, however, will not affect the execution time of numeric 
calculations. 


EXCEPTION 
MASKS 
(1 ~EXCEPTION 
IS MASKED) 


INVALID 
OPERATION 


DENORMALIZED 
OPERAND 


ZERO 
DIVIDE 


OVERFLOW 


UNDERFLOW 


PRECISION 


(RESERVED) 


(RESERVED) 


PRECISION 
CONTROL 
111 


ROUNDING 
CONTROL(2) 


INFINITY 
CONTROL 
(0 ~ PROJECTIVE, 
1 = AFFINE) 


(RESERVED) 


(1) PRECISION CONTROL 


00 - 
24-BIT 
SIGNIFICAND 


01 - 
RESERVED 


10 - 
53-BIT 
SIGNIFICAND 


11 ~ 
54-BIT 
SIGNIFICAND 


(2) ROUNDING CONTROL 
00 
- 
ROUND TO NEAREST OR EVEN 
01 
- 
ROUND DOWN (TOWARD 
-00) 
10 ~ 
ROUND UP (TOWARD 
+00) 
11 - 
CHOP (TRUNCATE 
TOWARD ZERO) 


____ ---"-"'0 
-~ •••• ~, un" ,un" ,v-"} 
plUVlUC:: lOrUlrecreOrounamg ana true chop as well as the unbiased 
round-to-nearest-even mode specified in the IEEE 754 standard. 


The infinity control bit (bit 12) determines the manner in which the 80287 treats the special values of 
infinity. Either affine closure (where positive infinity is distinct from negative infinity) or projective 
closure (infinity is treated as a single unsigned quantity) may be specified. These two alternative views 
of infinity are discussed in the section on Computation Fundamentals. 


The tag word indicates the contents of each register in the register stack, as shown in figure 1-6. The 
tag word is used by the NPX itself in order to track its numeric registers and optimize performance. 
Programmers may use this tag information to interpret the contents of the numeric registers. The tag 
values are stored in the tag word corresponding to the physical registers 0-7. Programmers must use 
the current Stack Top (ST) pointer stored in the NPX status word to associate these tag values with 
the relative stack registers ST(O) through ST(7). 


The NPX instruction and data registers provide support for programmed exception-handlers. Whenever 
the 80287 executes a math instruction, the NPX internally saves the instruction address, the operand 
address (if present), and the instruction opcode. The 80287 FSTENV and FSAVE instructions store 
this data into memory, allowing exception handlers to determine the precise nature of any numeric 
exceptions that may be encountered. 


When stored in memory, the instruction and data pointers appear in one of two formats, depending on 
the operating mode of the 80287. Figure 1-7 shows these pointers as they are stored following an 
FSTENV instruction. In Real-Address mode, these values are the 20-bit physical address and II-bit 
opcode formatted like the 8087. In Protected mode, these values are the 32-bit virtual addresses used 
by the program that executed the ESC instruction. 


The instruction address saved in the 80287 will point to any prefixes that preceded the instruction. 
This is different from the 8087, for which the instruction address pointed only to the ESC instruction 
opcode. 
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This section covers 80287 programming concepts that are common to all applications. It describes the 
80287's internal number system and the various types of numbers that can be employed in NPX 
programs. The most commonly used options for rounding, precision, and infinity (selected by fields in 
the control word) are described, with exhaustive coverage of less frequently used facilities deferred to 
later sections. Exception conditions that may arise during execution of NPX instructions are also 
described along with the options that are available for responding to these exceptions. 


The system of real numbers that people use for pencil and paper calculations is conceptually infinite 
and continuous. There is no upper or lower limit to the magnitude of the numbers one can employ in a 
calculation, or to the precision (number of significant digits) that the numbers can represent. When 
considering any real number, there is always an infinity of numbers both larger and smaller. There is 
also an infinity of numbers between (Le., with more significant digits than) any two real numbers. For 
example, between 2.5 and 2.6 are 2.5r, 2.5897, 2.500001, etc. 


While ideally it would be desirable for a computer to be able to operate on the entire real number 
system, in practice this is not possible. Computers, no matter how large, ultimately have fixed-size 
registers and memories that limit the system of numbers that can be accommodated. These limitations 
determine both the range and the precision of numbers. The result is a set of numbers that is finite 
and discrete, rather than infinite and continuous. This sequence is a subset of the real numbers that is 
desi,gnedto form a useful approximation of the real number system. 
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Figure 1-8 superimposes the basic 80287 real number system on a real number line (decimal numbers 
are shown for clarity, although the 80287 actually represents numbers in binary). The dots indicate the 
subset of real numbers the 80287 can represent as data and final results of calculations. The 80287's 
range is approximately 
±4.l9XlO-307 to ±1.67Xl0308. Applications that are required to deal with 


data and final results outside this range are rare. For reference, the range of the IBM 370 is about 
± 0.54 X 10-78to ± 0.72 Xl 076. 


The finite spacing in figure 1-8 illustrates that the NPX can represent a great many, but not all, of the 
real numbers in its range. There is always a gap between two adjacent 80287 numbers, and it is possible 
for the result of a calculation to fall in this space. When this occurs, the NPX rounds the true result 
to a number that it can represent. Thus, a real number that requires more digits than the 80287 can 
accommodate (e.g., a 20-digit number) is represented with some loss of accuracy. Notice also that the 
80287's representable numbers are not distributed evenly along the real number line. In fact, an equal 
number of representable numbers exists between successive powers of 2 (i.e., as many representable 
numbers exist between 2 and 4 as between 65,536 and 131,072). Therefore, the gaps between repre- 
sentable numbers are larger as the numbers increase in magnitude. All integers in the range ± 264 
(approximately ± 1018),however, are exactly representable. 


In its internal operations, the 80287 actually employs a number system that is a substantial superset of 
that shown in figure 1-8. The internal format (called temporary real) extends the 80287's range to 
about ±3.4XlO-4932to ±1.2Xl.04932, and its precision to about 19 (equivalent decimal) digits. This 
format is designed to provide extra range and precision for constants and intermediate results, and is 
not normally intended for data or final results. 
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From a practical standpoint, the 80287's set of real numbers is sufficiently large and dense so as not 
to limit the vast majority of microprocessor applications. Compared to most computers, including 
mainframes, the NPX provides a very good 'approximation of the real number system. It is important 
to remember, however, that it is not an exact representation, and that arithmetic on real numbers is 
inherently approximate. 


Conversely, and equally important, the 80287 does perform exact arithmetic on integer operands. That 
is, an operation on two integers returns an exact integral result, provided that the true result is an 
integer and is in range. For example, 4-;.-2 yields an exact integer, 1-;.-3does not, and 240 X 230 + 1 
does not, because the result requires greater than 64 bits of precision. 


The 80287 recognizes seven numeric data types, divided into three classes: binary integers, packed 
decimal integers, and binary reals. A later section describes how these formats are stored in memory 
(the sign is always located in the highest-addressed byte). Figure 1-9 summarizes the format of each 
data type. In the figure, the most significant digits of all numbers (and fields within numbers) are the 
leftmost digits. Table 1-5 provides the range and number of signficant (decimal) digits that each format 
can accommodate. 


The three binary integer formats are identical except for length, which governs the range that can be 
accommodated in each format. The leftmost bit is interpreted as the number's sign: O=positive and 
1= negative. Negative numbers are represented in standard two's complement notation (the binary 
integers are the only 80287 format to use two's complement). The quantity zero is represented with a 
positive sign (all bits are 0). The 80287 word integer format is identical to the 16-bit signed integer 
data type of the 80286. 


Decimal integers are stored in packed decimal notation, with two decimal digits "packed" into each 
byte, except the leftmost byte, which carries the sign bit (0= positive, 1= negative). Negative numbers 
are not stored in two's complement form and are distinguished from positive numbers only by the 
sign bit. The most significant digit of the number is the leftmost digit. All digits must be in the range 
OH-9H. 


The 80287 stores real numbers in a three-field binary format that resembles scientific, or exponential, 
notation. The number's significant digits are held in the significand field, the exponent field locates 
the binary point within the significant digits (and therefore determines the number's magnitude), and 
the sign field indicates whether the number is positive or negative. (The exponent and significand are 
analogous to the terms "characteristic" 
and "mantissa" used to describe floating point numbers on 
some computers.) Negative numbers differ from positive numbers only in the sign bits of their 
significands. 
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NOTES; 
5 
Sign bit (O = positive. 1 ;. negative) 


dn 
Decimal digit (two per byte) 


X 
Bits have no significance; 80287 
ignores when loading, zeros when storing. 


A 
Position of implicit binary point 


Integer 
bit of slgnificand: 
stored 
in temporary 
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(always 
1) in short and long real 


Exponent 
Bias (normalized 
values): 


Short Real; 127 (7FH) 
Long Real; 
1023 (3FFH) 
Temporary Real; 
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Table 1-5 shows how the real number 178.125 (decimal) is stored in the 80287 short real format. The 
table lists a progression of equivalent notations that express the same value to show how a number can 
be converted from one form to another. The ASM286 and PL/M-286 language translators perform a 
similar process when they encounter programmer-defined real number constants. Note that not every 
decimal fraction has an exact binary equivalent. The decimal number 1/ 10, for example, cannot be 
expressed exactly in binary (just as the number 1/3 cannot be expressed exactly in decimal). When a 
translator encounters such a value, it produces a rounded binary approximation of the decimal value. 
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Notation 
Value 
.;, 


I 
,•..r 


Ordinary Decimal 
178.125 


. 
L 


Scientific Decimal 
1~78125E2 


Scientific Binary 
1~0110010001E111 


Scientific Binary 
1~0110010001E10000110 
(Biased Exponent) 


Sign 
Biased Exponent 
Significand 
80287 Short Real 
(Normalized) 
0 
10000110 
~100100010000000000000 
1~ (implicit) 


The NPX usually carries the digits of the significand in normalized form. This means that, except for 
the value zero, the significand is an integer and a fraction as follows: 


where a indicates an assumed binary point. The number of fraction bits varies according to the real 
format: 23 for short, 52 for long, and 63 for temporary real. By normalizing real numbers so that their 
integer bit is always a 1, the 80287 eliminates leading zeros in small values (bd < 1). This technique 
maximizes the number of significant digits that can be accommodated in a significand of a given width. 
Note that, in the short and long real formats, the integer bit is implicit and is not actually stored; the 
integer bit is physically present in the temporary real format only. 


If one were to examine only the signficand with its assumed binary point, all normalized real numbers 
would have values between 1 and 2. The exponent field locates the actual binary point in the significant 
digits. Just as in decimal scientific notation, a positive exponent has the effect of moving the binary 
point to the right, and a negative exponent effectively moves the binary point to the left, inserting 
leading zeros as necessary. An unbiased exponent of zero indicates that the position of the assumed 
binary point is also the position of the actual binary point. The exponent field, then, determines a real 
number's magnitude. 


In order to simplify comparing real numbers (e.g., for sorting), the 80287 stores exponents in a biased 
form. This means that a constant is added to the true exponent described above. The value of this bias 
is different for each real format (see figure 1-9). It has been chosen so as to force the biased exponent 
to be a positive value. This allows two real numbers (of the same format and sign) to be compared as 
if they are unsigned binary integers. That is, when comparing them bitwise from left to right (begin- 
ning with the leftmost exponent bit), the first bit position that differs orders the numbers; there is no 
need to proceed further with the comparison. A number's true exponent can be determined simply by 
subtracting the bias value of its format. 


The short and long real formats exist in memory only. If a number in one of these formats is loaded 
into an 80287 register, it is automatically converted to temporary real, the format used for all internal 
operations. Likewise, data in registers can be converted to short or long real for storage in memory. 
The temporary real format may be used in memory also, typically to store intermediate results that 
cannot be held in registers. 


________ 
•• __ 
•. 
_ ••.•.•..••.•.••.•.u.'"" 
~""';'U.\."" 
1"- 
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sufficient range and precision to return correct results with a minimum of programmer attention. The 
short real format is appropriate for applications that are constrained by memory, but it should be 
recognized that this format provides a smaller margin of safety. It is also useful for debugging algorithms, 
because roundoff problems will manifest themselves more quickly in this format. The temporary real 
format should normally be reserved for holding intermediate results, loop accumulations, and constants. 
Its extra length is designed to shield final results from the effects of rounding and overflow/underflow 
in intermediate calculations. However, the range and precision of the long real form are adequate for 
most microcomputer applications. 


Internally, the 80287 employs three extra bits (guard, round, and sticky bits) that enable it to represent 
the infinitely precise true result of a computation; these bits are not accessible to programmers. Whenever 
the destination can represent the infinitely precise true result, the 80287 delivers it. Rounding occurs 
in arithmetic and store operations when the format of the destination cannot exactly represent the 
infinitely precise true result. For example, a real number may be rounded if it is stored in a shorter 
real format, or in an integer format. Or, the infinitely precise true result may be rounded when it is 
returned to a register. 


The NPX has four rounding modes, selectable by the RC field in the control word (see figure 1-5). 
Given a true result b that cannot be represented by the target data type, the 80287 determines the two 
representable numbers 0 and c that most closely bracket b in value (0 < b < c). The processor then 
rounds (changes) b to 0 or to c according to the mode selected by the RC field as shown in table 1-6. 
Round introduces an error in a result that is less than one unit in the last place to which the result is 
rounded. "Round to nearest" is the default mode and is suitable for most applications; it provides the 
most accurate and statistically unbiased estimate of the true result. The chop mode is provided for 
integer arithmetic applications. 


"Round up" and "round down" are termed directed rounding and can be used to implement interval 
arithmetic. Interval arithmetic generates a certifiable result independent of the occurrence of rounding 
and other errors. The upper and lower bounds of an interval may be computed by executing an algorithm 
twice, rounding up in one pass and down in the other. 


The 80287 allows results to be calculated with either 64, 53, or 24 bits of precision in the significand 
as selected by the precision control (PC) field of the control word. The default setting, and the one 
that is best suited for most applications, is the full 64 bits of significance provided by the temporary- 


RC Field 
Rounding Mode 
Rounding Action 


00 
Round to nearest 
Closer to b of a or c; if equally close, 


I' 
select even number (the one whose 
least significant bit is zero). 


01 
Round down (toward -00) 
a 


10 
Round up (toward +00) 
c 


11 
Chop (toward 0) 
Smaller in magnitude of a or c 


inter 


real format. the other settings are required by the proposed IEEE standard, and are provided to obtain 
compatibility with the specifications of certain existing programming languages. Specifying less preci- 
sion nullifies the advantages of the temporary real format's extended fraction length, and does not 
increase execution speed. When reduced precision is specified, the rounding of the fractional value 
clears the unused bits on the right to zeros. 


The 80287's system of real numbers may be closed by either of two models of infinity. These two means 
of closing the number system, projective and affine closure, are illustrated schematically in figure 
1-10. The setting of the Ie field in the control word selects one model or the other. The default means 
of closure is projective, and this is recommended for most computations. When projective closure is 
selected, the NPX treats the special values +00 and 
-(X) as a single unsigned infinity (similar to its 
treatment of signed zeros). In the affine mode the NPX respects the signs of +00 and -(X). 


While affine mode may provide more information than projective, there are occasions when the sign 
may in fact represent misinformation. For example, consider an algorithm that yields an intermediate 
result x of +0 and -0 
(the same numeric value) in different executions. If l/x were then computed 
in affine mode, two entirely different values (+ 
(X) and - (0) would result from numerically identical 
values of x. Projective mode, on the other hand, provides less information but never returns misinfor- 
mation. In general, then, projective mode should be used globally, with affine mode reserved for local 
computations where the programmer can take advantage of the sign and knows for certain that the 
nature of the computations will not produce a misleading result. 


Besides being able to represent positive and negative numbers, the 80287 data formats may be used to 
describe other entities. These special values provide extra flexibility, but most users will not need to 
understand them in order to use the 80287 successfully. This section describes the special values that 
may occur in certain cases and the significance of each. The 80286 exceptions are also described, for 
writers of exception handlers and for those interested in probing the limits of computation using the 
80287. 


The material presented in this section is mainly of interest to programmers concerned with writing 
exception handlers. For many readers, this section can be browsed lightly. 


I 
o 
AFFINE CLOSURE 


The 80287 data formats encompass encodings for a variety of special values in addition to the typical 
real or integer data values that result from normal calculations. These special values have significance 
and can express relevant information about the computations or operations that produced them. The 
various types of special values are 


• 
Non-normal real numbers, including 


denormals 
unnormals 


• 
Zeros and pseudo zeros 


• 
Positive and negative infinity 


• 
NaN (Not-a-Number) 


• 
Indefini te 


The following description explains the origins and significance of each of these special values. Tables 
1-12 through 1-15 at the end of this section show how each of these special values is encoded for each 
of the numeric data types. 


As described previously, the 80287 generally stores nonzero real numbers in normalized floating-point 
form; that is, the integer (leading) bit of the significand is always a 1. This bit is explicitly stored in 
the temporary real format, and is implicitly assumed to be a one (l~) in the short- and long-real formats. 
Since leading zeros are eliminated, normalized storage allows the maximum number of significant 
digits to be held in a significand of a given width. 


When a floating-point numeric value becomes very close to zero, normalized storage cannot be used to 
express the value accurately. To accommodate these instances, the 80287 can store and operate on 
reals that are not normalized, i.e., whose significands contain one or more leading zeros. Nonnormals 
typically arise when the result of a calculation yields a value that is too small to be represented in 
normal form. 


• 
The floating-point exponent may be stored at its most negative value (a Denormal), 


• 
The integer bit (and perhaps other leading bits) of the significand may be zero (an Unnormal). 


The leading zeros of nonnormals permit smaller numbers to be represented, at the cost of some lost 
precision (the number of significant bits is reduced by the leading zeros). In typical algorithms, extremely 
small values are most likely to be generated as intermediate, rather than final results. By using the 
NPX's temporary real format for holding intermediate, values as small as ± 3.4X 
10-4932 can be repre- 
sented; this makes the occurrence of nonnormal numbers a rare phenomenon in 80287 applications. 
Nevertheless, the NPX can load, store, and operate on nonnormalized real numbers when they do 
occur. 


A denormal is the result of the NPX's response to an underflow exception when that exception has 
been masked by the programmer (see the 80287 control word, figure 1-5). Underflow occurs when the 
absolute value of a real number becomes too small to be represented in the destination format, that is, 


inter 


when the exponent of the true result is too negative to be represented in the destination format. For 
example, a true exponent of -130 
will cause underflow if the destination is short real, because -126 


is the smallest exponent this format can accommodate. No underflow would occur if the destination 
were long real or temporary real, since these formats can handle exponents down to -1023 
and -16,383, 


respectively. 


Most computers underflow "abruptly:" they simply return a zero result, which is likely to produce an 
unacceptable final result if computation continues. The 80287, on the other hand, underflows "gradu- 
ally" when the underflow exception is masked. Gradual underflow is accomplished by denormalizing 
the result until it is just within the exponent range of the destination format. Denormalizing means 
incrementing the true result's exponent and inserting a corresponding leading zero in the significand, 
shifting the rest of the significand one place to the right. Denormal values may occur in any of the 
short-real, long-real, or temporary-real formats. Table 1-7 illustrates how a result might be denormal- 
ized to fit a short-real destination. 


The intent of the 80287's masked response to underflow is to allow computation to continue without 
program intervention, while introducing an error that carries about the same risk of contaminating the 
final result as roundoff error. Roundoff (precision) errors occur frequently in real number calculations; 
sometimes they spoil the result of computation, but often they do not. Recognizing that roundoff errors 
are often nonfatal, computation usually proceeds, and the programmer inspects the final results to see 
if these errors have had a significant effect. The 80287's masked underflow response allows program- 
mers to treat underflows in a similar manner; the computation continues and the programmer can 
examine the final result to determine 
if an underflow has had important 
consequences. (If the 
underflow has had a significant effect, an invalid operation will probably be signalled later in the 
computation. ) 


Denormalization produces a denormal or a zero. Denormals are readily identified by their exponents, 
which are always the minimum for their formats; in biased form, this is always the bit string: 00...00. 
This same exponent value is also assigned to the zeros, but a denormal has a nonzero significand. A 
denormal in a register is tagged special. Tables 1-14 and 1-15 later in this chapter show how denormal 
values are encoded in each of the real data formats. 


The denormalization process may cause the loss of low-order significand bits as they are shifted off the 
right. In a severe case, all the significand bits of the true result are shifted out and replaced by the 
leading zeros. In this case, the result of denormalization is a true zero, and if the value is in a register, 
it is tagged as such. However, this is a comparatively rare occurrence and, in any case, is no worse than 
"abrupt" underflow. 


Operation 
Sign 
Exponent") 
Significand 


True Result 
0 
-129 
1601011100 ...00 


Denormalize 
0 
-128 
06101011100 ...00 


Denormalize 
0 
-127 
060101011100 ...00 


Denormalize 
0 
-126 
0600101011100 ...00 


Denormal 
Resul~2) 
0 
-126 
0600101011100 ...00 


NOTES: 


(I) Expressed 
as unbiased, 
decimal 
number. 


(2) Before 
storing, 
significand 
is rounded 
to 24 bits, integer 
bit is dropped, 
and exponent 
is biased by adding 


126. 
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small results during the evaluation of intermediate subexpressions; the final result is usually of an 
appropriate magnitude for its short or long real destination. If intermediate results are held in tempo- 
rary real, as is recommended, the great range of this format makes underflow very unlikely. Denormals 
are likely to arise only when an application generates a great many intermediates, so many that they 
cannot be held on the register stack or in temporary real memory variables. If storage limitations force 
the use of short or long reals for intermediates, and small values are produced, underflow may occur, 
and, if masked, may generate denormals. 


Accessing a denormal may produce an exception as shown in table 1-8. (The denormalized exception 
signals that a denormal has been fetched.) Denormals may have reduced significance due to lost low- 
order bits, and an option of the proposed IEEE standard precludes operations on nonnormalized 
operands. This option may be implemented in the form of an exception handler that responds to 
unmasked denormalized exceptions. Most users will mask this exception so that computation may 
proceed; any loss of accuracy will be analyzed by the user when the final result is delivered. 


As table 1-8 shows, the division and remainder operations do not accept denormal divisors and raise 
the invalid operation exception. Recall also that the transcendental instructions require normalized 
operands and do not check for exceptions. In all other cases, the NPX converts denormals to unnor- 
mals, and the rules governing unnormal arithmetic then apply (unnormals are described in the follow- 
ing section). 


An unnormal is the result of a computation using denormal operands and is therefore the descendent 
of the 80287's masked underflow response. An unnormal may exist only in the temporary real format; 
it may have any exponent that a normal value may have (that is, in biased form any nonzero value), 
but it is distinguished from a normal by the integer bit of its significand, which is always O. An unnor- 
mal in a register is tagged valid. Unnormals are distinct from denormals, which have an exponent of 
00...00 in biased form. 


Unnormals allows arithmetic to continue following an underflow while still retaining their identity as 
numbers that may have reduced significance. That is, unnormal operands generate unnormal results, 
so long as their unnormality has a significant effect on the result. Unnormals are thus prevented from 
"masquerading" 
as normals, numbers that have full significance. On the other hand, if an unnormal 


has an insignificant effect on a calculation with a normal, the result will be normal. For example, 
adding a small unnormal to a large normal yields a normal result. The converse situation yields an 
unnormal. 


Operation 
Exception 
Masked Response 


FLD (short/long 
real) 
D 
Load as equivalent 
un normal 


Arithmetic 
(except 
following) 
D 
Convert 
(in a work 
area) denormal 
to equivalent 


un normal 
and proceed 


Compare 
and test 
D 
Convert 
(in a work 
area) denormal 
to equivalent 


un normal 
and proceed 


Division 
or FPREM with 
I 
Return 
real indefinite 


denormal 
divisor 


Table 1-9 shows how the instruction set deals with unnormal operands. Note that the unnormal may 
be the original operand or a temporary created by the 80287 from a denormal. 


The value zero in the real and decimal integer formats may be signed either positive or negative, 
although the sign of a binary integer zero is always positive. For computational purposes, the value of 
zero always behaves identically, regardless of sign, and typically the fact that a zero may be signed is 
transparent to the programmer. If necessary, the FXAM instruction may be used to determine a zero's 
sign. 


The zeros discussed above are called true zeros; if one of them is loaded or generated in a register, the 
register is tagged zero. Table 1-10 lists the results of instructions executed with zero operands and also 
shows how a true zero may be created from nonzero operands. 


Only the temporary real format may contain a special class of values called pseudo zeros. A pseudo 
zero is an unnormal whose significand is all zeros, but whose (biased) exponent is nonzero (true zeros 
have a zero exponent). Neither is a pseudo zero's exponent all ones, since this encoding is reserved for 
infinities and NANs. A pseudo zero result will be produced if two unnormals, containing a total of 
more than 64 leading zero bits in their significands, are multiplied together. This is a remote possibility 
in most applications, but it can happen. 


Pseudo zero operands behave like unnormals, except in the following cases where they produce the 
same results as true zeros: 


Compare and test instructions 


FRNDINT (round to integer) 


Division, where the dividend is either a true zero or a pseudo zero (the divisor is a pseudo zero) 


Operation 
Result 


Addition/subtraction 
Normalization 
of operand 
with 
larger 
abosolute 
value determines 
normalization 
of result. 


Multiplication 
If either operand 
is unnormal, 
result is un normal. 


Division 
(un normal 
dividend 
only) 
Result 
is unnormal. 


FPREM (unnormal 
dividend 
only) 
Result 
if normalized. 


Division/FPREM 
(un normal 


- 


Signal invalid operation. 


divisor) 


Compare/FTST 
Normali.ze 
as much 
as possible 
before 
making 


companson. 
FRNDINT 
Normalize 
as much as possible 
before 
rounding. 


FSQRT 
Signal invalid operation. 
FST, FSTP (short/long 
real 
If value is above 
destination's 
underflow 
bound- 
destination) 
ary, 
then 
signal 
invalid 
operation; 
else 
signal 


underflow. 


FSTP (temporary 
real destination) 
Store as usual. 


FIST, FISTP, FBSTP 
Signal invalid operation. 
FLD 
Load as usual. 


FXCH 
Exchange 
as usual. 


Transcendental 
instructions 
Undefined; 
operands 
must be normal and are not 


checked. 
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In addition and subtraction of a pseudo zero and a true zero or another pseudo zero, the pseudo zeroes) 
behaves like unnormals, except for the determination of the result's sign. The sign is determined as 
shown in table 1-10 for two true zero operands. 


Operation / Operands 
Result 
Operation / Operands 
Result 


FLD, FBLD(1) 
Division 


+0 
+0 
±O -;.-±O 
Invalidoperation 


-0 
-0 
±X -;.-±O 
Zerodivide 
FILD(2) 
+0-;.- +X, -O-;'--X 
+0 


+0 
+0 
+0-;.- -X, 
-0-;.- 
+X 
-0 


FST,FSTP 
-X-;'- 
-Y, 
+X-;.- +Y 
+0, underflow81 
+0 
+0 
-X-;'- 
+Y, +X-;'--Y 
-0, underflow81 


-0 
-0 


+XC31 
+0 
FPREM 


-XC31 
-0 
±O rem ±O 
Invalidoperation 
FBSTP 
±X rem ±O 
Invalidoperation 
+0 
+0 
+0 rem +X, +0 rem -X 
+0 


-0 
-0 
-0 rem +X, -0 rem -X 
-0 


FIST,FISTP 
+X rem +Y, +X rem -Y 
+OC9) 
+0 
+0 
-X rem -Y, 
-X rem +Y 
-OC91 
-0 
+0 


+XC41 
+0 
FSQRT 


-XC41 
+0 
-0 
-0 


+0 
+0 


Addition 
+0 plus +0 
+0 
Compare 


-0 plus -0 
-0 
±O: +X 
A<B 


+0 plus -0, 
-0 
plus +0 
·0(5) 
±O: ±O 
A=B 


-X plus +X, +X plus -X 
·0(5) 
±O: -X 
A>B 


±O plus ±X, ±X plus ±O 
tX(8) 


FTST 


Subtraction 
±O 
Zero 


+0 minus -0 
+0 
FCHS 


-0 minus +0 
-0 
+0 
-0 


+0 minus +0, -0 
minus -0 
·O(5) 
-0 
+0 


+X minus +X, -X minus -X 
·O(5) 
FABS 


±O minus ±X, ±X minus ±O 
tXC81 
±O 
+0 
F2XM1 


Multiplication 
+0 
+0 


+0· 
+0, -0·-0 
+0 
-0 
-0 


+0· 
-0, 
-0· 
+0 
-0 
FRNDINT 


+0. 
+X, +X· 
+0 
+0 
+0 
+0 
• 
+0· 
-X, 
-X· 
+0 
-0 
-0 
-0 


-0. 
+X, +X·-O 
-0 
FXTRACT 


-O·-X,-X·-O 
+0 
+0 
Both +0 
~ 
+X· 
+Y, -X·-Y 
+0, underflow71 
-0 
Both -0 
+X. 
-Y, 
-X. 
+Y 
-0, underflow71 


NOTES: 


(1) Arithmetic and compare operations with real memory operands interpret the memory operand signs in 
the sameway. 


C21Arithmetic and compareoperations with binary integers interpret the integer sign in the same manner. 


(31Severeunderflows in storing to short or long real may generatezeros. 


(4) Smallvalues ( Ix! < 1) stored into integers may round to zero. 
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(5) Sign is determined 
by round mode: 
• = + for nearest, 
up, or chop 


• = - for down 


(6) t = sign of X. 


(7) Very small values of X and Y may yield zeros, 
after rounding of true result. 
NPX signals underflow to 


warn that zero has been yielded by nonzero operands. 


(6) Very small X and very large Y may yield zero, after rounding of true result. 
NPX signals 
underflow to 
warn that zero has been yielded from nonzero operands. 


(9) When Y divides into X exactly. 


The real formats 
support 
signed 
representations 
of infinities. 
These values are encoded 
with a biased 
exponent 
of all ones and a significand 
of 1~00 ...00; if the infinity 
is in a register, 
it is tagged 
special. 


The significand 
distinguishes 
infinities 
from NANs, 
including 
real indefinite. 


A programmer 
may code an infinity, 
or it may be created 
by the NPX 
as its masked 
response 
to an 
overflow or a zero divide exception. 
Note that when rounding 
is up or down, the masked 
response 
may 
create 
the largest 
valid value representable 
in the destination 
rather 
than infinity. 
See table 
1-11 for 
details. 
As operands, 
infinities 
behave somewhat 
differently 
depending 
on how the infinity 
control field 
in the control word is set (see table 
1-12). When the projective 
model of infinity 
is selected, 
the infini- 
ties behave 
as a single unsigned 
representation; 
because 
of this, infinity 
cannot 
be compared 
with any 
value 
except 
infinity. 
In affine 
mode, 
the signs of the infinities 
are observed, 
and comparisons 
are 
possible. 


A NaN 
(Not a Number) 
is a member 
of a class of special values that exist in the real formats 
only. A 
NaN 
has an exponent 
of 11..11B, may have either sign, and may have any significand 
except 
l~OO..OOB, 


which is assigned 
to the infinities. 
A NaN 
in a register 
is tagged 
special. 


The 80287 will generate 
the special NaN, 
real indefinite, as its masked 
response to an invalid operation 
exception. 
This NaN 
is signed negative; 
its significand 
is encoded 
1~100 ..00. All other NaNs 
represent 
programmer-created 
values. 


Whenever 
the NPX 
uses an operand 
that 
is a NaN, 
it signals 
an invalid 
operation 
exception 
in its 
status 
word. 
If this exception 
is masked 
in the 80287 
control 
word, 
the 80287's 
masked 
exception 
response 
is to return 
the NaN 
as the operation 
result. If both operands 
of an instruction 
are NaNs, 
the 
result is the NaN 
with the larger absolute 
value. In this way, a NaN 
that enters a computation 
propa- 
gates through 
the computation 
and will eventually 
be delivered 
as the final result. Note, 
however, 
that 
the transcendental 
instructions 
do not check 
their 
operands, 
and a NaN 
will produce 
an undefined 
result. 


By unmasking 
the invalid operation 
exception, 
the programmer 
can use NaNs 
to trap to the exception 
handler. 
The generality 
of this approach 
and the large number 
of NaN 
values that are available 
provide 
the sophisticated 
programmer 
with a tool that can be applied 
to a variety 
of special situations. 


For example, 
a compiler 
could 
use NaNs 
as references 
to uninitialized 
(real) 
array 
elements. 
The 
compiler 
could 
preinitialize 
each 
array 
element 
with a NaN 
whose significand 
contained 
the index 
(relative 
position) of the element. 
If an application 
program 
attempted 
to access an element 
that it had 
not initialized, 
it would use the NaN 
placed 
there by the compiler. 
If the invalid operation 
exception 
were unmasked, 
an interrupt 
would occur, and the exception 
handler 
would be invoked. The exception 


handler could determine which element had been accessed, since the operand address field of the 
exception pointers would point to the NaN, and the NaN would contain the index number of the array 
element. 


NaNs could also be used to speed up debugging. In its early testing phase, a program often contains 
multiple errors. An exception handler could be written to save diagnostic information in memory 
whenever it was invoked. After storing the diagnostic data, it could supply a NaN as the result of the 
erroneous instruction, and that NaN could point to its associated diagnostic area in memory. The 
program would then continue, creating a different NaN for each error. When the program ended, the 
NaN results could be used to access the diagnostic data saved at the time the errors occurred. Many 
errors could thus be diagnosed and corrected in one test run. 


True Result 
Rounding 
Result Delivered 


Normalization 
Sign 
Mode 


Normal 
+ 
Up 
+co 


Normal 
+ 
Down 
Largest 
finite positive 
number') 


Normal 
- 
Up 
Largest 
finite negative 
number') 


Normal 
- 
Down 
-co 


Unnormal 
+ 
Up 
+co 


Un normal 
- 
Down 
Largest 
exponent, 
result's 
significand(21 


Unnormal 
+ 
Up 
Largest 
exponent, 
result's 
significand(21 


Unnormal 
- 
Down 
-co 


NOTES: 


(1) The largest 
valid representable 
reals are encoded: 
exponent: 
11...1 OB 


significand: 
(1)~ 11... 1OB 


(2)The significand 
retains its identity 
as an unnormal; 
the true result is rounded 
as usual (effectively 
chopped 


toward 
0 in this case). The exponent 
is encoded 
11 ...1OB. 


Operation 
Projective 
Result 
Affine Result 


Addition 
+co plus +co 
Invalid operation 
+co 
-co 
plus -co 
Invalid operation 
-co 
+co plus -co 
Invalid operation 
Invalid operation 
-co 
plus +co 
Invalid operation 
Invalid operation 
±co plus ±X 
'co 
'co 
±X plus ±co 
'co 
'co 


Subtraction 


+co minus -co 
Invalid operation 
+co 
-co 
minus +co 
Invalid operation 
-co 
+co minus +co 
Invalid operation 
Invalid operation 
-co 
minus -co 
, 


Invalid operation 
Invalid operation 
±co minus 
±X 
'co 
'co 
±X minus 
±co 
tco 
tco 


. 


inter 


Operation 
Projective 
Result 
Affine Result 


Multiplication 


±co· 
±oo 
Ell 
Ell 


±oo· 
±y 
Ell 
Ell 


± o· ± 00, ± 00 • ± 0 
Invalid operation 
Invalid operation 


Division 


±oo 
-;- ±oo 
Invalid operation 
Invalid operation 


±oo 
-;- ±X 
Ell 
Ell 


±X 
-;- ±oo 
Ell 
Ell 


FSQRT 


-00 
Invalid operation 
Invalid operation 


+00 
Invalid operation 
+00 


FPREM 


±oo rem ±oo 
Invalid operation 
Invalid operation 


±oo rem ±X 
Invalid operation 
Invalid operation 


±Y 
rem 
±oo 
.y 
.y 


±O rem ±oo 
·0 
·0 


FRNDINT 


±oo 
·00 
·00 


FSCALE 


± 00 scaled by ± 00 
Invalid operation 
Invalid operation 


± 00 scaled by ± X 
·00 
·00 


± 0 scaled 
by ± 00 
·0 
·0 


± Y scaled 
by- ± 00 
Invalid operation 
Invalid operation 


FXTRACT 


±oo 
Invalid operation 
Invalid operation 


Compare 


±oo: 
±oo 
A=B 
-00 < +00 


±oo: 
±Y 
A ? B (and) invalid operation 
-00 < Y < +00 


±oo: 
±O 
A ? B (and) invalid operation 
-00 < 0 < +00 


FTST 


±oo 
A ? B (and) invalid operation 
·00 


NOTES: 


X 
zero or nonzero 
operand 


Y 
nonzero 
operand 


sign of original 
operand 
t 
sign is complement 
of original 
operand's 
sign 


Ell 
sign 
is "exclusive 
or" 
original 
operand 
signs 
(+ 
if operands 
had same 
sign, 
- 
if operands 
had 


different 
signs) 


For every 80287 numeric data type, one unique encoding is reserved for representing the special value 
indefinite. The 80287 produces this encoding as its response to a masked invalid-operation exception. 
In the case of reals, the indefinite value can be stored and loaded like any NaN, and it always retains 
its special identity; programmers are advised not to use this encoding for any other purpose. Packed 
decimal indefinite may be stored by the NPX in a FBSTP instruction; attempting to use this encoding 
in a FBLD instruction, however, will have an undefined result. In the binary integers, the same encod- 
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- 231, or - 263). The 80287 will store this encoding as its masked response to an invalid operation, or 
when the value in a source register represents or rounds to the largest negative integer representable 
by the destination. In situations where its origin may be ambiguous, the invalid operation exception 
flag can be examined to see if the value was produced by an exception response. When this encoding 
is loaded, or used by an integer arithmetic or compare operation, it is always interpreted as a negative 
number; thus indefinite cannot be loaded from a packed decimal or binary integer. 


Tables 1-13 through 1-16 show how each of the special values just described is encoded for each of the 
numeric data types. In these tables, the least-significant bits are shown to the right and are stored in 
the lowest memory addresses. The sign bit is always the left-most bit of the highest-addressed byte. 


Class 
Sign 
Magnitude 


, 


•• 
(Largest) 
0 
11.,,11 


CI 
· 
· 
~ 
· 
· 
.; 
0 
· 
· 
Q. 


(Smallest) 
0 
00".01 


" 
Zero 
0 
00 ...00 


•• 
(Smallest) 
1 
11...11 


II 
· 
· 
~'l; 
· 
· 
III 
· 
· 
IIz 
(Largest/ 
Indefinite") 
1 
00...00 


Word: 
Short: 
Long: 


15 bits 
31 bits 
63 bits 


NOTES; 


If this encoding 
is used as a source 
operand 
(as in an integer 
load or integer 
arithmetic 
instruction), 
the 


80287 interprets 
it as the largest 
negative 
number 
representable 
in the format: 
-2'5, 
-231, 
or -263• 
The 


80287 will deliver this encoding 
to an integer 
destination 
in two cases: 


1) If the result 
is the largest 
negative 
number 


2) As the response 
to a masked 
invalid 
operation 
exception, 
in which 
case it represents 
the special 
value 


integer 
indefinite. 


Magnitude 


Class 
Sign 
I 
I 
I 
I ... I 
digit 
digit 
digit 
digit 
digit 


(Largest) 
0 
0000000 
1 0 0 1 
1 0 0 1 
1 0 0 1 
1 001 
· .. 
1 0 0 1 
· 
· 
· 
••• 
· 
· 
· 
>:= 
· 
· 
· 
ii 
(Smallest) 
0 
0000000 
o 0 0 0 
000 
0 
o 0 0 0 
000 
0 
000 
1 
0 
· .. 


lL 


Zero 
0 
0000000 
o 0 0 0 
o 0 0 0 
o 0 0 0 
o 0 0 0 
... 
o 000 


Zero 
1 
0000000 
000 
0 
000 
0 
000 
0 
o 0 0 0 
... 
o 000 
••• 
(Smallest) 
1 
0000000 
o 0 0 0 
000 
0 
000 
0 
000 
0 
000 
1 
~ 
· .. 
; 
· 
· 
· 
ell• 
· 
· 
· 
z 
· 
· 
· 
(Largest) 
1 
0000000 
1 o 0 1 
1 001 
1 0 0 1 
1 001 
1 0 0 1 


Indefinite' 
1 
1111111 
1 1 1 1 
1 1 1 1 
U U U U· 
U U U U 
U U U U 


NOTES: 


1. The packed 
decimal 
indefinite 
encoding is stored by FBSTP in response to a masked invalid operation 
exception. Attempting to load this value via FBLD produces an undefined result. 


2. UUUU means bit values are undefined and may contain any value. 


- 


Class 
Sign 
Biased 
Slgnlficando 


Exponent 
c.ff ...ff 


I 


0 
11...11 
11...11 
· 
· 
· 
NaNs 
· 
· 
· 
· 
· 
· 
0 
11...11 
00...01 


" 


0 
11...11 
00 ...00 
00 


0 
11...10 
11...11 


<I) 
· 
· 
· 
Gl 
~ 
Normals 
· 
· 
· 
.; 
= 
· 
· 
· 
0 
0- 
0 
00 ...01 
00...00 


0 
00 ...00 
11...11 
· 
· 
· 
Denormals 
· 
· 
· 
I- 
· 
· 


-' I'· 
· 
0 
00...00 
00 ...01 


Zero 
0 
00...00 


I 


00 ...00 
en 
- 
'ii 
Gla: 
Zero 
1 
00...00 
00...00 


-- 
, 


1 
00...00 
00 ...01 
· 
· 
· 
Denormals 
· 
· 
· 
· 
· 
· 
1 
00 ...00 
11...11 


1 
00 ...01 
00...00 
· 
· 
· 
Normals 
· 
· 
· 
· 
· 
· 
'" 
1 
11...10 
11...11 
Gl~i;j 
1 
11...11 
00...00 
Cll 
00 


GlZ 


1 
1L.11 
00...01 
· 
· 
· 
· 
· 
· 
· 
· 
· 
'"Z 
III 
1 
11...11 
10...00 
z 
Indefinite 
· 
· 
· 
· 
· 
· 
· 
· 
· 
1 
11...11 
11...11 


Short: 
Long: 


1.• 
8 bits 
•• 1-.•---23 
bits 
1'--11 bits--. .... 
I .•--- 
52 bits 


Class 
Sign 
Biased 
Slgnlficand' 


Exponent 
ltoft ...ff 


--. 


0 
11...11 
111...11 
· 
· 
· 
NaNs 
· 
· 
· 
· 
· 
· 
0 
. 
11...11 
100 ...01 


00 
0 
11...11 
100 ...00 


0 
11...10 
Normals 
· 
· 
111...11 
· 
· 
· 
· 
· 
· 
· 
· 
· 
· 
· 
· 
10 
· 
· 
100 ...00 
~ 
~ 
I' 
· 
· 
"; 
· 
· 
Unnormals 
0 
ll. 
· 
· 
· 
· 
011...11 
· 
· 
· 
· 
· 
· 
· 
· 
· 
0 
00 ...01 
000 ...00 


f 


Denormals 
0 
00 ...00 
011...11 
· 
· 
· 
· 
· 
· 
· 
· 
· 
0 
00 ...00 
000 ...01 


10 
Zero 
0 
00 ...00 
000 ...00 
- 
Cii~ 
a: 
Zero 
1 
00 ...00 
000 ...00 


Denormals 


1 
00 ...00 
000 ...01 
· 
· 
· 
~. 
· 
· 
· 
· 
· 
· 
1 
00 ...00 
011...11 


10 
i- 
~ 
1 
00 ...01 
Unnormals 
> 
000 ...00 
:;:; 
, 
· 
· 
III 
· 
· 
· 


Ql~ 
· 
· 
· 
z 
· 
· 
· 
, 
· 
· 
011...11 
· 
· 
· 
· 
Normals 
· 
· 
· 
· 
100 ...00 
· 
· 
· 
· 
· 
· 
· 
· 
· 
1 
11...10 
111...11 


Class 
Sign 
Biased 
Signlflcand' 


,- 
Exponent 
I~ff ...ff 


- 


co 
1 
11...11 
100...00 


1 
11...11 
100...00 
· 
· 
· 
•• 
· 
· 
· 
•~ 
· 
· 
· 
CiIII il 
• 
Indefinite 
1 
11...11 
110...00 
z 
· 
· 
· 
· 
· 
· 
· 
· 
· 
1 
11...11 
11L.11 


Whenever the 80287 NPX attempts a numeric operation with invalid operands or produces a result 
that cannot be represented, the 80287 recognizes a numeric exception condition. Altogether, the 80287 
checks for the following six classes of exceptions while executing numeric instructions: 


1. Invalid operation 


2. Divide-by-zero 


3. Denormalized operand 


4. Numeric overflow 
5. Numeric underflow 


6. Inexact result (precision) 


• 
An attempt to load a register that is not empty (stack overflow). 


• 
An attempt to pop an operand from an empty register (stack underflow). 


• 
An operand is a NaN. 


• 
The operands cause the operation to be indeterminate (square root of a negative number, 0/0). 


If an instruction attempts to divide a finite nonzero operand by zero, the 80287 will report a zero divide 
exception. 


If an instruction attempts to operate on a denormal, the NPX reports the denormalized operand excep- 
tion. This exception allows users to implement in software an option of the proposed IEEE standard 
specifying that operands must be prenormalized before they are used. 


If the exponent of a numeric result is too large for the destination real format, the 80287 signals a 
numeric overflow. Conversely, if the exponent of a result is too small to be represented in the destina- 
tion format, a numeric underflow is signaled. If either of these exceptions occur, the result of the 
operation is outside the range of the destination real format. 


Typical algorithms are most likely to produce extremely large and small numbers in the calculation of 
intermediate, 
rather than final, results. Because of the great range of the temporary real format 
(recommended as the destination format for intermediates), overflow and underflow are relatively rare 
events in most 80287 applications. 


If the result of an operation is not exactly representable in the destination format, the 80287 rounds 
the number and reports the precision exception. For example, the fraction Ih cannot be precisely repre- 
sented in binary form. This exception occurs frequently and indicates that some (generally acceptable) 
accuracy has been lost; it is provided for applications that need to perform exact arithmetic only. 


• 
The NPX can itself handle the error, producing the most reasonable result and allowing numeric 
program execution to continue undisturbed. 


• 
A software exception handler can be invoked by the CPU to handle the error. 


Each of the six exception conditions described above has a corresponding flag bit in the 80287 status 
word and a mask bit in the 80287 control word. If an exception is masked (the corresponding mask bit 
in the control word = 1), the 80287 takes an appropriate default action and continues with the compu- 
tation. If the exception is unmasked (mask=O), the 80287 asserts the ERROR output to the 80286 to 
signal the exception and invoke a software exception handler. 


The NPX reports an exception by setting the corresponding flag in the NPX status word to 1. The 
NPX then checks the corresponding exception mask in the control word to determine if it should 
"field" the exception (mask= 1), or if it should signal the exception to the CPU to invoke a software 
exception handler (mask=O). 


If the mask is set, the exception is said to be masked (from user software), and the NPX executes its 
on-chip masked response for that exception. If fhe mask is not set (mask=O), the exception is unmasked, 
and the NPX performs its unmasked response. The masked response always produces a standard result, 
then proceeds with the instruction. The unmasked response alway,')traps to a software exception handler, 
allowing the CPU to recognize and take action on the exception. Table 1-17 gives a complete descrip- 
tion of all exception conditions and the NPX's masked response. 


inter 


Source 
register 
is tagged 
empty 
(usually 
due 


to stack underflow). 


Destination 
register 
is not 
tagged 
empty 


(usually 
due to stack overflow). 


One or both operands 
is a NaN. 


(Compare 
and 
test 
operations 
only): 
one 
or 


both operands 
is a NaN. 


(Addition 
operations 
only): closure 
is affine and 


operands 
are opposite-signed 
infinities; 
or 


closure 
is projective 
and both operands 
are 00 
(signs immaterial). 


(Subtraction 
operations 
only): closure 
is affine 


and 
operands 
are 
like-signed 
infinities; 
or 


closure 
is projective 
and both operands 
are 00 
(signs immaterial). 


(Multiplication 
operations 
only): 
00 • 0; or 0 • 


00. 


(Division 
operations 
only): 
00 -;- 00; or 0 -;- 0; 
or 0 -;- pseudo 
zero; or divisor 
is denormal 
or 


unnormal. 


(FPREM 
instruction 
only): modulus 
(divisor) 
is 


unnormal 
or denormal; 
or dividend 
is 00. 


(FSQRT 
instruction 
only): operand 
is nonzero 


and 
negative; 
or 
operand 
is denormal 
or 


unnormal; 
or closure 
is affine 
and operand 
is 


-00; or closure 
is projective 
and operand 
is 


00. 


(Compare 
operations 
only): closure 
is projec- 


tive and 00 is being compared 
with 0, a normal, 
or 00. 


(FTST 
instruction 
only): 
closure 
is projective 


and operand 
is 00. 


(FIST, 
FISTP 
instructions 
only): 
source 
regis- 
ter is empty, 
a NaN, denormal, 
unnormal, 
00, 


or 
exceeds 
representable 
range 
of 
destina- 


tion. 


(FBSTP 
instruction 
only): 
source 
register 
is 


empty, 
a NaN, 
denormal, 
unnormal, 
00, or 
exceeds 
18 decimal 
digits. 


(FST, 
FSTP 
instructions 
only): 
destination 
is 


short 
or long 
real 
and 
source 
register 
is an 


un normal 
with exponent 
in range. 


(FXCH instruction 
only): one or botH registers 


is tagged 
empty. 


Return 
real 
indefinite 
(overwrite 
destination 


value). 


Return 
NaN with larger 
absolute 
value (ignore 


signs). 


Set condition 
codes 
"not 
comparable." 


Return 
real 
indefinite, 
set condition 
code 
= 
"complete 
remainder." 


Return 
real indefinite. 


Change 
empty 
register(s) 
to real indefinite 
and 


then perform 
exchange. 


Condition 
Masked 
Response 


Denormalized 
Operand 


(FLD 
instruction 
only): 
source 
operand 
is 
No special 
action; 
load as usual. 


denormal. 


(Arithmetic 
operations 
only): 
one 
or 
both 
Convert 
(in a work 
area) the operand 
to the 
operands 
is denormal. 
equivalent 
un normal 
and proceed. 


(Compare 
and 
test 
operations 
only): 
one 
or 
Convert 
(in a work 
area) any denormal 
to the 
both operands 
is denormal 
or unnormal (other 
equivalent 
unnormal; 
normalize 
as much 
as 
than pseudo 
zero). 
possible, 
and proceed 
with operation. 


Zero Divide 


(Division 
operations 
only): divisor = O. 
Return 
co signed 
with 
"exclusive 
or" 
of 


operand 
signs. 


Overflow 


(Arithmetic 
operations 
only): 
rounding 
is 
Return properly 
signed co and signal precision 
nearest 
or chop, 
and exponent 
of true 
result 
exception. 
> 16,383. 


(FST, 
FSTP 
instructions 
only): 
rounding 
is 
Return properly 
signed 
00 and signal precision 
nearest 
or chop, 
and exponent 
of true 
result 
exception. 


> +127 (short 
real destination) 
or > +1023 


(long real destination). 
. 


Underflow 


(Arithmetic 
operations 
only): exponent 
of true 
Denormalize 
until exponent 
rises 
to -16,382 
result < -16,382 
(true). 
(true), 
round 
significand 
to 64 bits. 
If denor- 
malized 
rounded 
significand 
= 0, then return 


true 0; else, 
return 
denormal 
(tag = special, 


biased exponent 
= 0). 


(FST, 
FSTP 
instructions 
only): 
destination 
is 
Denormalize 
until 
exponent 
rises 
to -126 
short real and exponent 
of true result < -126 
(true), round significand 
to 24 bits, store true 0 
(true). 
if denormalized 
rounded 
significand 
= 0; else, 


store denormal 
(biased 
exponent 
= 0). 


(FST, 
FSTP 
instructions 
only): 
destination 
is 
Denormalize 
until 
exponent 
rises 
to 
-1022 
long real and exponent 
of true result < -1022 
(true), round significand 
to 53 bits, store true 0 
(true). 
if rounded 
denormalized 
significand 
= 0; else, 


store denormal 
(biased 
exponent 
= 0). 


Precision 


True rounding 
error occurs. 
No special 
action. 


Masked 
response 
to overflow 
exception 
earlier 
No special 
action. 
in instruction. 


Note 
that 
when exceptions 
are masked, 
the NPX 
may detect 
multiple 
exceptions 
in a single 
instruction, 
because 
it continues 
executing 
the instruction 
after 
performing 
its masked 
response. 
For example, 
the 
80287 
could 
detect 
a denormalized 
operand, 
perform 
its masked 
response 
to this 
exception, 
and then 
detect 
an underflow. 


inter 


As described 
in the previous 
section, 
when the 80287 NPX 
encounters 
an exception 
condition 
whose 


corresponding 
mask bit in the NPX 
control 
word is set, the NPX 
automatically 
performs 
an internal 


fix-up (masked-exception) 
response. 
The 80287 NPX 
has a default 
fix-up activity 
for every possible 


exception 
condition 
it may encounter. 
These 
masked-exception 
responses 
are designed 
to be safe and 


are generally 
acceptable 
for most numeric 
applications. 


As an example 
of how even severe exceptions 
can be handled 
safely and automatically 
using the NPX's 


default 
exception 
responses, 
consider 
a calculation 
of the parallel 
resistance 
of several 
values 
using 


only the standard 
formula 
(figure 
I-II). 
If Rl becomes 
zero, the circuit 
resistance 
becomes 
zero. With 


the divide-by-zero 
and precision 
exceptions 
masked, 
the 80287 NPX will produce 
the correct 
result. 


By masking 
or unmasking 
specific 
numeric 
exceptions 
in the NPX 
control 
word, NPX 
programmers 
can delegate 
responsibility 
for most exceptions 
to the NPX, 
reserving 
the most severe exceptions 
for 


programmed 
exception 
handlers. 
Exception-handling 
software 
is often difficult 
to write, and the NPX's 
masked 
responses 
have been tailored 
to deliver 
the most reasonable 
result 
for each condition. 
For the 


majority 
of applications, 
programmers 
will find that masking 
all exceptions 
other than Invalid 
Opera- 


tion will yield satisfactory 
results 
with the least programming 
effort. 
An Invalid 
Operation 
exception 


normally 
indicates 
a fatal error in a program 
that must be corrected; 
this exception 
should not normally 
be masked. 


The exception flags in the NPX status word provide a cumulative 
record of exceptions 
that have occurred 


since these flags were last cleared. 
Once set, these flags can be cleared 
only by executing 
the FCLEX 
(clear exceptions) 
instruction, 
by reinitializing 
the NPX, 
or by overwriting 
the flags with an FRSTOR 


or FLDENV 
instruction. 
This allows a programmer 
to mask all exceptions 
(except 
invalid operation), 


run a calculation, 
and then inspect 
the status 
word to see if any exceptions 
were detected 
at any point 


in the calculation. 


If the NPX 
encounters 
an unmasked 
exception 
condition, 
it signals the exception 
to the 80286 CPU 
using the ERROR status 
line between 
the two processors. 


inter 


The next time the 80286 CPU encounters a WAIT or ESC instruction in its instruction stream, the 
80286 will detect the active condition of the ERROR status line and automatically trap to an exception 
response routine using interrupt #16-the 
Processor Extension Error exception. 


This exception response routine is typically a part of the systems software. Typical exception responses 
may include 


Incrementing an exception counter for later display or printing 


Printing or displaying diagnostic information (e.g., the 80287 environment and registers) 


Aborting further execution 


Using the exception pointers to build an instruction that will run without exception and executing 
it 


Application programmers on iAPX 286 systems having systems software support for the 80287 NPX 
should consult their references for the appropriate system response to NPX exceptions. For systems 
programmers, specific details on writing software exception handlers are included in the section "System- 
Level Numeric Programming" later in this supplement. 


The 80287 NPX differs from the 8087 NPX in the manner in which numeric exceptions are signalled 
to the CPU; the 8087 requires an interrupt controller (8259A) to interrupt the CPU, while the 80287 
does not. Programmers upgrading iAPX 86/20 software to operate on iAPX 286 systems should be 
aware of these differences and any implications they might have on numeric exception-handling software. 
Appendix B explains the differences between the 80287 and the 8087 NPX in greater detail. 
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CHAPTER 
2 
PROGRAMMING 
NUMERIC APPLICATIONS 


Programmers developing applications for the 80287 have a wide range of instructions and program- 
ming alternatives from which to choose. 


The following sections describe the 80287 instruction set in detail, and follow up with a discussion of 
several of the programming facilities that are available to programmers of iAPX 286/20 systems. 


This section describes the operation of all 80287 instructions. Within this section, the instructions are 
divided into six functional classes: 


• 
Data Transfer instructions 


• 
Arithmetic instructions 


• 
Comparison instructions 


• 
Transcendental instructions 


• 
Constant instructions 


• 
Processor Control instructions 


At the end of this section, each of the instructions is described in terms of its execution speed, bus 
transfers, and exceptions, as well as a coding example for each combination of operands accepted by 
the instruction. For easy reference, this information is concentrated into a table, organized alphabeti- 
cally by instruction mnemonic. 


Throughout this section, the instruction set is described as it appears to the ASM286 programmer who 
is coding a program. Appendix A covers the actual machine instruction encodings, which are princi- 
pally of use to those reading unformatted memory dumps, monitoring instruction fetches on the bus, 
or writing exception handlers. 


The instruction set for the 80287 NPX is largely the same as that for the 8087 NPX used with iAPX 
86 and 88 systems. Most object programs generated for iAPX 86/20 systems (8086 and 8087) will 
execute without change on iAPX 286/20 systems. Several instructions are new to the 80287, and several 
8087 instructions perform no useful function on the 80287. Appendix B at the back of this supplement 
gives details of these instruction set differences and of the differences in the ASM86 and ASM286 
assemblers. 


The typical NPX instruction accepts one or two operands as inputs, operates on these, and produces a 
result as an output. Operands are most often (the contents of) register or memory locations. The operands 
of some instructions are predefined; for example, FSQRT always takes the square root of the number 
in the top stack element. Others allow, or require, the programmer to explicitly code the operand(s) 
along with the instruction mnemonic. Still others accept one explicit operand and one implicit operand, 
which is usually the top stack element. 


inter 


Whether supplied by the programmer or utilized automatically, the two basic types of operands are 
sources and destinations. A source operand simply supplies one of the inputs to an instruction; it is not 
altered by the instruction. Even when an instruction converts the source operand from one format to 
another (e.g., real to integer), the conversion is actually performed in an internal work area to avoid 
altering the source operand. A destination operand may also provide an input to an instruction. It is 
distinguished from a source operand, however, because its content may be altered when it receives the 
result produced by the operation; that is, the destination is replaced by the result. 


Many instructions allow their operands to be coded in more than one way. For example, FADD (add 
real) may be written without operands, with only a source or with a destination and a source. The 
instruction descriptions in this section employ the simple convention of separating alternative operand 
forms with slashes; the slashes, however, are not coded. Consecutive slashes indicate an option of no 
explicit operands. The operands for FADD are thus described as 


FADD 
FADD 
source 


FAD 
0 
destination, source 


When reading this section, it is important to bear in mind that memory operands may be coded with 
any of the CPU's memory addressing modes. To review these modes-direct, 
register indirect, based, 
indexed, based indexed-refer 
to the iAPX 286 Programmer's Reference Manual. Table 2-17 later in 


this chapter also provides several addressing mode examples. 


These instructions (summarized in table 2-1) move operands among elements of the register stack, and 
between the stack top and memory. Any of the seven data types can be converted to temporary real 
and loaded (pushed) onto the stack in a single operation; they can be stored to memory in the same 
manner. The data transfer instructions automatically update the 80287 tag word to reflect the register 
contents following the instruction. 


Table 2-1. Data Transfer Instructions 


Real Transfers 


FLO 
Load real 
FST 
Store real 
FSTP 
Store real and pop 
FXCH 
Exchange 
registers 


Integer 
Transfers 


FILO 
Integer 
load 
FIST 
Integer 
store 
FISTP 
Integer store and pop 


Packed 
Decimal 
Transfers 


FBLO 
Packed 
decimal 
(BCD) load 
FBSTP 
Packed 
decimal 
(BCD) store and pop 


inter 


FLD (load real) loads (pushes) the source operand onto the top of the register stack. This is done by 
decrementing the stack pointer by one and then copying the content of the source to the new stack top. 
The source may be a register on the stack (ST(i» or any of the real data types in memory. Short and 
long real source operands are converted to temporary real automatically. Coding FLD ST(O) duplicates 
the stack top. 


FST (store real) transfers the stack top to the destination, which may be another register on the stack 
or a short or long real memory operand. If the destination is short or long real, the significand is 
rounded to the width of the destination according to the RC field of the control word, and the exponent 
is converted to the width and bias of the destination format. 


If, however, the stack top is tagged special (it contains 00, a NaN, or a denormal) then the stack top's 
significand is not rounded but is chopped (on the right) to fit the destination. Neither is the exponent 
converted, but it also is chopped on the right and transferred "as is." This preserves the value's identi- 
fication as 00 or a NaN (exponent all ones) or a denormal (exponent all zeros) so that it can be properly 
loaded and tagged later in the program if desired. 


FSTP (store real and pop) operates identically to FST except that the stack is popped following the 
transfer. This is done by tagging the top stack element empty and then incrementing ST. FSTP permits 
storing to a temporary real memory variable, whereas FST does not. Coding FSTP ST(O) is equivalent 
to popping the stack with no data transfer. 


FXCH (exchange registers) swaps the contents of the destination and the stack top registers. If the 
destination is not coded explicitly, ST(l) is used. Many 80287 instructions operate only on the stack 
top; FXCH provides a simple means of effectively using these instructions on lower stack elements. 
For example, the following sequence takes the square root of the third register from the top: 


FXCH 
ST(3) 


FSQRT 
FXCH 
ST(3) 


FILD (integer load) converts the source memory operand from its binary integer format (word, short, 
or long) to temporary real and loads (pushes) the result onto the stack. The (new) stack top is tagged 
zero if all bits in the source were zero, and is tagged valid otherwise. 


FIST (integer store) rounds the content of the stack top to an integer according to the RC field of the 
control word and transfers the result to the destination. The destination may define a word or short 
integer variable. Negative zero is stored in the same encoding as positive zero: 0000...00. 


FISTP (integer and pop) operates like FIST and also pops the stack following the transfer. The desti- 
nation may be any of the binary integer data types. 


FBLD (packed decimal (BCD) load) converts the content of the source operand from packed decimal 
to temporary real and loads (pushes) the result onto the stack. The sign of the source is preserved, 
including the case where the value is negative zero. FBLD is an exact operation; the source is loaded 
with no rounding error. 


The packed decimal digits of the source are assumed to be in the range 0-9H. The instruction does not 
check for invalid digits (A-FH) and the result of attempting to load an invalid encoding is undefined. 


FBSTP (packed decimal (BCD) store and pop) converts the content of the stack top to a packed 
decimal integer, stores the result at the destination in memory, and pops the stack. FBSTP produces a 
rounded integer from a nonintegral value by adding 0.5 to the value and then chopping. Users who are 
concerned about rounding may precede FBSTP with FRNDINT. 


The 80287's arithmetic instruction set (table 2-2) provides a wealth of variations on the basic add, 
subtract, multiply, and divide operations, and a number of other useful functions. These range from a 
simple absolute value to a square root instruction that executes faster than ordinary division; 80287 
programmers no longer need to spend valuable time eliminating square roots from algorithms because 
they run too slowly. Other arithmetic instructions perform exact modulo division, round real numbers 
to integers, and scale values by powers of two. 


The 80287's basic arithmetic 
instructions (addition, subtraction, 
multiplication, and division) are 
designed to encourage the development of very efficient algorithms. In particular, they allow the 
programmer to minimize memory references and to make optimum use of the NPX register stack. 


Table 2-3 summarizes the available operation/operand 
forms that are provided for basic arithmetic. In 


addition to the four normal operations, two "reversed" instructions make subtraction and division 
"symmetrical" like addition and multiplication. The variety of instruction and operand forms give the 
programmer unusual flexibility: 


• 
Operands may be located in registers or memory. 
• 
Results may be deposited in a choice of registers. 


• 
Operands may be a variety of NPX data types: temporary real, long real, short real, short integer 
or word integer, with automatic conversion to temporary real performed by the 80287. 


inter 


Addition 


FADD 
Add real 
FADDP 
Add real and pop 
FIADD 
Integer 
add 


Subtraction 


FSUB 
Subtract 
real 
FSUBP 
Subtract 
real and pop 
FISUB 
Integer 
subtract 
FSUBR 
Subtract 
real reversed 
FSUBRP 
Subtract 
real reversed 
and pop 
FISUBR 
Integer 
subtract 
reversed 


Multiplication 


FMUL 
Multiply 
real 
FMULP 
Multiply 
real and pop 
FIMUL 
Integer 
multiply 


Division 


FDIV 
Divide real 
FDIVP 
Divide real and pop 
FIDIV 
Integer divide 
FDIVR 
Divide real reversed 
FDIVRP 
Divide real reversed 
and pop 
FIDIVR 
Integer 
divide reversed 


Other Operations 


FSQRT 
Square 
root 
FSCALE 
Scale 
FPREM 
Partial remainder 
FRNDINT 
Round to integer 
FXTRACT 
Extract 
exponent 
and significand 
FABS 
Absolute 
value 
FCHS 
Change 
sign 


Five basic instruction 
forms may be used across all six operations, 
as shown in table 2-3. The classicial 
stack form may be used to make 
the 80287 operate 
like a classical 
stack 
machine. 
No operands 
are 
coded in this form, only the instruction 
mnemonic. 
The NPX 
picks the source operand 
from the stack 
top and the destination 
from the next stack element. 
It then pops the stack, 
performs 
the operation, 
and returns 
the result to the new stack top, effectively 
replacing 
the operands 
by the result. 


The register 
form is a generalization 
of the classical 
stack 
form; the programmer 
specifies 
the stack 
top as one operand 
and any register 
on the stack 
as the other 
operand. 
Coding 
the stack 
top as the 
destination 
provides a convenient 
way to access a constant, 
held elsewhere 
in the stack, from the stack 
top. The converse 
coding (ST is the source operand) 
allows, for example, 
adding the top into a register 
used as an accumulator. 


Often 
the operand 
in the stack 
top is needed 
for one operation 
but then is of no further 
use in the 
computation. 
The register 
pop form can be used to pick up the stack top as the source operand, 
and 


then discard 
it by popping 
the stack. 
Coding 
operands 
of ST(1),ST 
with a register 
pop mnemonic 
is 
equivalent 
to a classical 
stack operation: 
the top is popped 
and the result is left at the new top. 


Instruction 
Form 
Mnemonic 
Operand 
Forms 
ASM286 
Example 
Form 
destination, 
source 


Classical 
stack 
Fop 
{ST(1),ST} 
FADD 


Register 
Fop 
- 
ST(i),ST or ST,ST(i) 
FSUB 
ST,ST(3) 


Register 
pop 
FopP 
ST(i),ST 
FMULP 
ST(2),ST 


Real memory 
Fop 
{ ST,} 
short-realflong-real 
FDIV 
AZIMUTH 


Integer 
memory 
Flop 
{ ST,} 
word-integerfshort-integer 
FIDIV 
N_PULSES 


NOTES: 


Braces 
({ 


op = ADD 
SUB 
SUBR 
MUL 
DIV 
DIVR 


}) 
surround 
implicit operands; 
these are not coded, 
and are shown 
here for information 
only. 


destination 
+- destination 
+ source 
destination 
+- destination 
- 
source 
destination 
+- source 
- 
destination 
destination 
+- destination· 
source 
destination 
+- destination 
-;- source 
destination 
+- source 
-;- destination 


The two memory 
forms increase 
the flexibility 
of the 80287's 
arithmetic 
instructions. 
They 
permit 
a 


real number 
or a binary integer 
in memory 
to be used directly 
as a source operand. 
This is a very useful 


facility in situations 
where operands 
are not used frequently 
enough to justify 
holding them in registers. 
Note that any memory addressing 
mode may be used to define these operands, 
so they may be elements 
in arrays, 
structures, 
or other data organizations, 
as well as simple scalars. 


The six basic operations 
are discussed 
further 
in the next paragraphs, 
and descriptions 
of the remaining 


seven arithmetic 
operations 
follow. 


ADDITION 
FADD 
/ /source/destination,source 
FADDP 
destination/source 
FIADD 
source 


The addition 
instructions 
(add 
real, 
add 
real and pop, integer 
add) 
add the source 
and destination 


operands 
and return 
the sum to the destination. 
The operand 
at the stack 
top may be doubled 
by 
coding: 


NORMAL 
SUBTRACTION 
FSUB 
/ /source/destination,source 
FSUBP 
destination/source 
FISUB 
source 


The normal 
subtraction 
instructions 
(subtract 
real, subtract 
real and pop, integer 
subtract) 
subtract 


the source operand 
from the destination 
and return 
the difference 
to the destination. 


REVERSED 
SUBTRACTION 
FSUBR 
/ /source/destination,source 
FSUBRP 
destination/source 
FISUBR 
source 


inter 


The reversed subtraction instructions (subtract real reversed, subtract real reversed and pop, integer 
subtract reversed) subtract the destination from the source and return the difference to the destination. 


MULTIPLICATION 
FMUL 
/ /source/destination, 
source 


FMULP 
destination, source 


FIMUL 
source 


The multiplication instructions (multiply real, multiply real and pop, integer multiply) multiply the 
source and destination operands and return the product to the destination. Coding FMUL ST,ST(O) 
squares the content of the stack top. 


NORMAL DIVISION 
FDIV 
/ /source/destination,source 


FDIVP 
destination, source 


FIDIV 
source 


The normal division instructions (divide real, divide real and pop, integer divide) divide the destination 
by the source and return the quotient to the destination. 


REVERSED DIVISION 
FDIVR 
/ /source/destination,source 


FDIVRP 
destination, source 


FIDIVR 
source 


The reversed division instructions (divide real reversed, divide real reversed and pop, integer divide 
reversed) divide the source operand by the destination and return the quotient to the destination. 


FSQRT (square root) replaces the content of the top stack element with its square root. (Note: The 
square root of -0 is defined to be -0.) 


FSCALE (scale) interprets the value contained in ST(l) as an integer and adds this value to the exponent 
of the number in ST. This is equivalent to 


Thus, FSCALE provides rapid multiplication or division by integral powers of 2. It is particularly 
useful for scaling the elements of a vector. 


Note that FSCALE assumes the scale factor in ST(l) is an integral value in the range -215:5 X <215• 
If the value is not integral, but is in-range and is greater in magnitude than 1, FSCALE uses the 
nearest integer smaller in magnitude; i.e., it chops the value toward O.If the value is out of range, or 0 
< I X I < 1, the instruction will produce an undefined result and will not signal an exception. The 
recommended practice is to load the scale factor from a word integer to ensure correct operation. 


FPREM (partial remainder) performs modulo division of the top stack element by the next stack 
element, i.e., ST(l) is the modulus. FPREM produces an exact result; the precision exception does not 
occur. The sign of the remainder is the same as the sign of the original dividend. 


inter 


FPREM operates by performing successive scaled subtractions; obtaining the exact remainder when 
the operands differ greatly in magnitude can consume large amounts of execution time. Because the 
80287 can only be preempted between instructions, the remainder function could seriously increase 
interrupt latency in these cases. Accordingly, the instruction is designed to be executed iteratively in a 
software-controlled loop. 


FPREM can reduce a magnitude difference of up to 264 in one execution. If FPREM produces a 
remainder that is less than the modulus, the function is complete and bit C2 of the status word condi- 
tion code is cleared. If the function is incomplete, C2 is set to I; the result in ST is then called the 
partial remainder. Software can inspect C2 by storing the status word following execution of FPREM 
and re-execute the instruction (using the partial remainder in ST as the dividend), until C2 is cleared. 
Alternatively, a program can determine when the function is complete by comparing ST to ST(l). If 
ST>ST(l), 
then FPREM must be executed again; if ST=ST(I), 
then the remainder is 0; if ST<ST(l), 
then the remainder is ST. A higher priority interrupting routine that needs the 80287 can force a 
context switch between the instructions in the remainder loop. 


An important use for FPREM is to reduce arguments (operands) of periodic transcendental functions 
to the range permitted by these instructions. For example, the FPTAN (tangent) instruction requires 
its argument to be less than 1r/4. Using 1r/ 4 as a modulus, FPREM will reduce an argument so that it 
is in range of FPTAN. Because FPREM produces an exact result, the argument reduction does not 
introduce roundoff error into the calculation, even if several iterations are required to bring the argument 
into range. (The rounding of 1r does not create the effect of a rounded argument, but of a rounded 
period.) 


FPREM also provides the least-significant three bits of the quotient generated by FPREM (in C3• C" 
Co).This is also important for transcendental argument reduction, because it locates the original angle 
in the correct one of eight 1r / 4 segments of the unit circle (see table 2-4). If the quotient is less than 4, 
then CO will be the value of C3 before FPREM was executed. If the quotient is less than 2, then C3 
will be the value of CI before FPREM was executed. 


Condition 
Code 
Interpretation 
-after FPREM 


C3 
C2 
C1 
CO 


X 
1 
X 
X 
Incomplete 
Reduction; 


further 
iteration 
is required 
for complete 


reduction. 


Complete 
Reduction; 
C1, C3, and CO contain 
the three least- 


significant 
bits of quotient: 


0 
0 
0 
0 
(Quotient) 
MOD 8 = 0 


0 
0 
0 
1 
(Quotient) 
MOD 8 = 4 


0 
0 
1 
0 
(Quotient) 
MOD 8 = 1 


0 
0 
1 
1 
(Quotient) 
MOD 8 = 5 


1 
0 
0 
0 
(Quotient) 
MOD 8 = 2 


1 
0 
0 
1 
(Quotient) 
MOD 8 = 6 


1 
0 
1 
0 
(Quotient) 
MOD 8 = 3 


1 
0 
1 
1 
(Quotient) 
MOD 8 = 7 


inter 


FRNDINT 
(round to integer) rounds the top stack element to an integer. For example, assume that 
ST contains the 80287 real number encoding of the decimal value 155.625. FRNDINT 
will change 
the value to 155 if the RC field of the control word is set to down or chop, or to 156 if it is set to up 
or nearest. 


FXTRACT (extract exponent and significand) "decomposes" the number in the stack top into two 
numbers that represent the actual value of the operand's exponent and significand fields. The "exponent" 
replaces the original operand on the stack and the "significand" is pushed onto the stack. Following 
execution of FXTRACT, ST (the new stack top) contains the value of the original significand expressed 
as a real number: its sign is the same as the operand's, its exponent is 0 true (16,383 or 3FFFH biased), 
and its significand is identical to the original operand's. ST(1) contains the value of the original operand's 
true (unbiased) exponent expressed as a real number. If the original operand is zero, FXTRACT 
produces zeros in ST and ST(1) and both are signed as the original operand. 


To clarify the operation of FXTRACT, assume ST contains a number of whose true exponent is +4 
(Le., its exponent field contains 4003H). After executing FXTRACT, ST(1) will contain the real number 
+4.0; its sign will be positive, its exponent field will contain 400lH (+2 true) and its significand field 
will contain 1~00...00B. In other words, the value in ST(1) will be 1.0 X 2' = 4. If ST contains an 
operand whose true exponent is -7 
(Le., its exponent field contains 3FF8H), then FXTRACT will 
return an "exponent" of -7.0; 
after the instruction executes, ST(1)'s sign and exponent fields will 
contain COOIH (negative sign, true exponent of 2), and its significand will be I~IIOO ...OOB.In other 
words, the value in ST(l) will be -1.11 
X 2' = -7.0. 
In both cases, following FXTRACT, ST's sign 
and significand fields will be the same as the original operand's, and its exponent field will contain 
3FFFH (0 true). 


FXTRACT is useful in conjunction with FBSTP for converting numbers in 80287 temporary real format 
to decimal representations (e.g., for printing or displaying). It can also be useful for debugging, because 
it allows the exponent and significant parts of a real number to be examined separately. 


Each of these instructions (table 2-5) analyzes the top stack element, often in relationship to another 
operand, and reports the result in the status word condition code. The basic operations are compare, 
test (compare with zero), and examine (report tag, sign, and normalization). Special forms of the compare 
operation are provided to optimize algorithms by allowing direct comparisons with binary integers and 
real numbers in memory, as well as popping the stack after a comparison. 


The FSTSW (store status word) instruction may be used following a comparison to transfer the condi- 
tion code to memory for inspection. 


Note that instructions other than those in the comparison group may update the condition code. To 
ensure that the status word is not altered inadvertently, store it immediately following a comparison 
operation. 


FCOM (compare real) compares the stack top to the source operand. The source operand may be a 
register on the stack, or a short or long real memory operand. If an operand is not coded, ST is compared 
to ST(l). Positive and negative forms of zero compare identically as if they were unsigned. Following 
the instruction, the condition codes reflect the order of the operands as shown in table 2-6. 


FCOMPP (compare real and pop twice) operates like FCOM and additionally pops the stack twice, 
discarding both operands. The comparison is of the stack top to ST( l); no operands may be explicitly 
coded. 


FICOM (integer compare) converts the source operand, which may reference a word or short binary 
integer variable, to temporary real and compares the stack top to it. 


FICOMP (integer compare and pop) operates identically to FICOM and additionally discards the 
value in ST by popping the stack. 


Table 2-5. 
Comparison 
Instructions 


FCOM 
FCOMP 
FCOMPP 
FICOM 
FICOMP 
FTST 
FXAM 


Compare 
real 
Compare 
real and pop 
Compare 
real and pop twice 
Integer compare 
Integer 
compare 
and pop 
Test 
Examine 


Condition 
Code 
Interpretation 
after FCOM 


C3 
C2 
C1 
CO 


0 
0 
X 
0 
ST> 
source 


0 
0 
X 
1 
ST < source 


1 
0 
X 
0 
ST = source 


1 
1 
X 
1 
ST is not comparable 


inter 


FIST 
(test) 
tests the top stack element 
by comparing 
it to zero. The result 
is posted 
to the condition 
codes as shown in table 2-7. 


FXAM 
(examine) 
reports 
the content 
of the top stack element 
as positive/negative 
and NaN/unnor- 
mal/denormal/normal/zero, 
or empty. Table 
2-8 lists and interprets 
all the condition 
code values that 
FXAM 
generates. 
Although 
four different 
encodings 
may be returned 
for an empty 
register, 
bits C3 
and CO of the condition 
code are both 
I in all encodings. 
Bits C2 and CI should 
be ignored 
when 
examining 
for empty. 


The instructions 
in this group (table 2-9) perform 
the time-consuming' 
core calculations for all common 
trigonometric, 
inverse 
trigonometric, 
hyperbolic, 
inverse 
hyperbolic, 
logarithmic, 
and 
exponential 
functions. 
Prologue 
and epilogue 
software 
may be used to reduce 
arguments 
to the range accepted 
by 
the instructions 
and to adjust 
the result 
to correspond 
to the original 
arguments 
if necessary. 
The 
transcendentals 
operate 
on the top one or two stack elements, 
and they return 
their results to the stack, 
also. 


, 


Condition 
Code 
Interpretation 
after FTST 


C3 
C2 
C1 
CO 


0 
0 
X 
0 
ST> 
0 


0 
0 
X 
1 
ST < 0 


1 
0 
X 
0 
ST = 0 


1 
1 
X 
1 
ST is not comparable; 
(i.e., it is a NaN or projective infinity) 


Condition 
Code 
Interpretation 


C3 
C2 
C1 
CO 


0 
0 
0 
0 
+ Unnormal 


0 
0 
0 
1 
+ NaN 


0 
0 
1 
0 
- 
Unnormal 


0 
0 
1 
1 
- 
NaN 


0 
1 
0 
0 
+ Normal 


0 
1 
0 
1 
+00 


0 
1 
1 
0 
- 
Normal 


0 
1 
1 
1 
- 
00 
1 
0 
0 
0 
+0 


1 
0 
0 
1 
Empty 


1 
0 
1 
0 
-0 


1 
0 
1 
1 
Empty 


1 
1 
0 
0 
+ Denormal 


1 
1 
0 
1 
Empty 


1 
1 
1 
0 
- 
Denormal 
1 
1 
1 
1 
Empty 


inter 


FPTAN 
FPATAN 
F2XM1 
FYL2X 
FYL2XP1 


Partialtangent 
Partial arctangent 
2x-1 
Yolog2X 
Yolog2(X+ 1) 


NOTE 


The transcendental 
instructions assume that their operands are valid and in-range. The 
instruction descriptions in this section provide the allowed operand range of each instruction. 


All operands to a transcendental must be normalized; denormals, unnormals, infinities, and NaNs are 
considered invalid. (Zero operands are accepted by some functions and are considered out-of-range by 
others). If a transcendental operand is invalid or out-of-range, the instruction will produce an undefined 
result without signalling an exception. It is the programmer's responsibility to ensure that operands are 
valid and in-range before executing a transcendental. For periodic functions, FPREM may be used to 
bring a valid operand into range. 


FPTAN 
O:S ST(O):S 11"/4 


FPTAN (partial tangent) computes the function YIX 
= TAN (0). 0 is taken from the top stack 
element; it must lie in the range 0 :S 0 :S 11"/4. The result of the operation is a ratio; Y replaces 0 in 
the stack and X is pushed, becoming the new stack top. 


The ratio result of FPTAN and the ratio argument of FPATAN are designed to optimize the calcula- 
tion of the other trigonometric functions, including SIN, cas, ARCSIN, and ARCCOS. These can 
be derived from TAN and ARCTAN via standard trigonometric identities. 


FPATAN 
o :S ST(1) < ST(O) < 00 


FPATAN (partial arctangent) computes the function 0 = ARCTAN (YIX). 
X is taken from the top 
stack element and Y from ST(l). 
Y and X must observe the inequality 0 :S Y < X < 00. The 
instruction pops the stack and returns 0 to the (new) stack top, overwriting the Y operand. 


F2XM1 
o :S ST(O) :S 0.5 


F2XMl (2 to the X minus 1) calculates the function Y = 2X -1. X is taken from the stack top and 
must be in the range 0 :S X :S 0.5. The result Y replaces X at the stack top. 


This instruction is designed to produce a very accurate result even when X is close to O. To obtain 
Y = 2\ add I to the result delivered by F2XM 1. 


10' = 2,·LOO210 
e' = 2,·LOO'. 
y' = 2"LOO'Y 


As shown in the next section, the 80287 has built-in instructions for loading the constants LOG,IO and 
LOG,e, and the FYL2X instruction may be used to calculate X-LOG,Y. 


FYL2X 
0< 
ST(O) < 00-00 
< ST(1) < 00 


FYL2X (Y log base 2 of X) calculates the function Z = Y-LOG,X. X is taken from the stack top and 
Y from ST(1). The operands must be in the ranges 0 < X < 00 and - 
00 < Y < + 00. The 
instruction pops the stack and returns Z at the (new) stack top, replacing the Y operand. 


This function optimizes the calculations of log to any base other than two, because a multiplication is 
always required: 


FYL2XP1 
0.$1 
ST(O) 1< (1-(\1'2/2» 
- 
00 < ST(1) < 00 


FYL2XPI (Y log base 2 of (X + I)) calculates the function Z = V-LOG, (X+ 1). X is taken from 
the stack top and must be in the range 0 :s IX I < (1- (\1'2/2)). Y is taken from ST(1) and must 
be in the range - 
00 < Y < 00. FYL2XPI 
pops the stack and returns Z at the (new) stack top, 
replacing Y. 


The instruction provides improved accuracy over FYL2X when computing the log of a number very 
close to I, for example 1 + 
E where E < < I. Providing E rather than 1 + 
E as the input to the function 
allows more significant digits to be retained. 


Each of these instructions (table 2-10) loads (pushes) a commonly-used constant onto the stack. The 
values have full temporary real precision (64 bits) and are accurate to approximately 19 decimal digits. 
Because a temporary real constant occupies 10 memory bytes, the constant instructions, which are only 
two bytes long, save storage and improve execution speed, in addition to simplifying programming. 


FLOZ 
FL01 
FLOPI 
FLOL2T 
FLOL2E 
FLOLG2 
FLOLN2 


Load + 0.0 
Load + 1.0 
Load 1r 
Load 109210 
Load 1092e 
Load 109102 
Load 109.2 


The processor control instructions 
shown in table 2-11 are not typically used in calculations; 
they provide 
control over the 80287 NPX for system-level 
activities. 
These activities 
include initialization, 
exception 


handling, 
and task switching. 


As shown in table 2-11, many of the NPX 
processor 
control instructions 
have two forms of assembler 
mnemonic: 


• 
A wait form, where the mnemonic 
is prefixed 
only with an F, such as FSTSW. 
This form checks 
for unmasked 
numeric 
errors. 


• 
A no-wait 
form, where the mnemonic 
is prefixed 
with an FN, such as FNSTSW. 
This form ignores 
unmasked 
numeric 
errors. 


FINIT/FNINIT 
FSETPM 
FLDCW 
FSTCW/FNSTCW 
FSTSW/FNSTSW 
FSTSW AX/FNSTSW AX 
FCLEX/FNCLEX 
FSTENV/FNSTENV 
FLDENV 
FSAVE/FNSAVE 
FRSTOR 
FINCSTP 
FDECSTP 
FFREE 
FNOP 
FWAIT 


Initialize processor 
Set Protected 
Mode 
Load control word 
Store control word 
Store status word 
Store status word to AX 
Clear exceptions 
Store Environment 
Load environment 
Save state 
Restore state 
Increment stack pointer 
Decrement stack pointer 
Free register 
No operation 
CPU Wait 


inter 


When the control instruction is coded using the no-wait form of the mnemonic, the ASM286 assembler 
does not precede the ESC instruction with a wait instruction, and the CPU does not test the ERROR 
status line from the NPX before executing the processor control instruction. 


Only the processor 
control class of instructions have this alternate no-wait form. All numeric instruc- 
tions are automatically synchronized by the 80286, with the CPU testing the BUSY status line and 
only executing the numeric instruction when this line is inactive. Because of this automatic synchroniz- 
ation by the 80286, numeric instructions for the 80287 need not be preceded by a CPU wait instruction 
in order to execute correctly. 


It should also be noted that the 8087 instructions FENI and FDISI perform no function in the 80287. 
If these opcodes are detected in an 80286/80287 instruction stream, the 80287 will perform no specific 
operation and no internal states will be affected. For programmers interested in porting numeric software 
from iAPX 86 or iAPX 88 environments to the iAPX 286, however, it should be noted that program 
sections containing these exception-handling instructions are not likely to be completely portable to the 
iAPX 286/20. Appendix B contains a more complete description of the differences between the 80287 
and the 8087 NPX. 


FINIT /FNINIT 
(initialize processor) sets the 80287 NPX into a known state, unaffected by any 
previous activity. The no-wait form of this instruction will cause the 80287 to abort any previous numeric 
operations currently executing in the NEU. This instruction performs the functional equivalent of a 
hardware RESET, with one exception; FINIT /FNINIT 
does not affect the current 80287 operating 
mode (either Real-Address mode or Protected mode). FINIT checks for unmasked numeric exceptions, 
FNINIT does not. 


Note that if FNINIT 
is executed while a previous 80287 memory-referencing instruction is running, 
80287 bus cycles in progress will be aborted. This instruction may be necessary to clear the 80287 if a 
Processor Extension Segment Overrun Exception (Interrupt 9) is detected by the CPU. 


FSETPM (set Protected mode) sets the operating mode of the 80287 to Protected Virtual-Address 
mode. When the 80287 is first initialized following hardware RESET, it operates in Real-Address 
mode, just as does the 80286 CPU. Once the 80287 NPX has been set into Protected mode, only a 
hardware RESET can return the NPX to operation in Real-Address mode. 


When the 80287 operates in Protected mode, the NPX exception pointers are represented differently 
than they are in Real-Address mode (see the FSAVE and FSTENV instructions that follow). This 
distinction is evident primarily to writers of numeric exception handlers, however. For general appli- 
cation programmers, the operating mode of the 80287 need not be a concern. 


FLDCW (load control word) replaces the current processor control word with the word defined by the 
source operand. This instruction is typically used to establish or change the 80287's mode of operation. 
Note that if an exception bit in the status word is set, loading a new control word that unmasks that 
exception and clears the interrupt enable mask will generate an immediate interrupt request before the 
next instruction is executed. When changing modes, the recommended procedure is to first clear any 
exceptions and then load the new control word. 


FSTCW /FNSTCW 
(store control word) writes the current processor control word to the memory 
location defined by the destination. FSTCW checks for unmasked numeric exceptions, FNSTCW 
does not. 


FSTSW /FNSTCW 
(store status word) writes the current value of the 80287 status word to the desti- 


nation operand in memory. The instruction is used to 


• 
Implement conditional branching following a comparison or FPREM instruction (FSTSW) 


• 
Poll the 80287 to determine if it is busy (FNSTSW) 


• 
Invoke exception handlers in environments that do not use interrupts (FSTSW). 


FSTSW AX/FNSTSW 
AX (store status word to AX) is a special 80287 instruction that writes the 
current value of the 80287 status word directly into the 80286 AX register. This instruction optimizes 
conditional branching in numeric programs, where the 80286 CPU must test the condition of various 
NPX status bits. The waited form checks for unmasked numeric exceptions, the non-waited for 
does not. 


When this instruction is executed, the 80286 AX register is updated with the NPX status word before 
the CPU executes any further instructions. In this way, the 80286 can immediately test the NPX status 
word without any WAIT or other synchronization instructions required. 


FCLEX/FNCLEX 
(clear exceptions) clears all exception flags, the error status flag and the busy flag 
in the status word. As a consequence, the 80287's ERROR line goes inactive. FCLEX checks for 
unmasked numeric exceptions, FNCLEX does not. 


FSAVE/FNSAVE 
(save state) writes the full 80287 state-environment 
plus register stack-to 
the 
memory location defined by the destination operand. Figure 2-1 shows the layout of the 94-byte save 
area; typically the instruction will be coded to save this image on the CPU stack. FNSA VE delays its 
execution until all NPX activity completes normally. Thus, the save image reflects the state of the 
NPX following the completion of any running instruction. After writing the state image to memory, 
FSAVE/FNSA VE initializes the 80287 as if FINIT /FNINIT 
had been executed. 


FSAVE/FNSA VE is useful whenever a program wants to save the current state of the NPX and 
initialize it for a new routine. Three examples are 


• 
An operating system needs to perform a context switch (suspend the task that had been running 
and give control to a new task). 


• 
An exception handler needs to use the 80287. 


• 
An application task wants to pass a "clean" 80287 to a subroutine. 


inter 


INCREASING 
ADDRESSES 
;-l 


INCREASING 
ADDRESSES 


~ 


INSTRUCTION 
{ 
POINTER 


OPERAND 
{ 


POINTER 


CONTROL 
WORD 


STATUS 
WORD 


TAG 
WORD 


INSTRUCTION 
POINTER 
(15-0) 


INSTRUCTION 
A 
I I 
INSTRUCTION 
POINTER 
(19-16) 
0 
OPCODE 
(10-0) 


DATA 
POINTER 
(15-0) 


DATA 
POINTER I 
0 
(19-16) 


\{ 


$IGNIFtCAND 
15·0 
+14 


SIGNIFICANO 
31·16 
+ 16 


$IGNIFICAND 
47·32 
+ 18 


SIGNIFICAND 
63·48 
+20 


51 
EXPONENT 
14·0 
+22 


{ 


SIGNIFICAND 
15-0 
+24 


SIGNIFICANO 
31-16 
+2. 


SlGNIFICANO 
47·32 
+28 
. 
SIGNIFICANC 
63·48 
+30 


51 
EXPONENT 
14·0 
+32 


\{ 


SIGNIFICAND 
1S-0 
+8' 


SIGNtFICAND 
31·16 
+86 


SIGNIFICANO 
47·32 
+88 
. 
SIGNIFICANO 
63-48 
+90 


51 
EXPONENT 
14-0 
+92 


CONTROL 
WORD 


STATU5 
WORD 


TAG WORD 


IP OFFSET 


CS SELECTOR 


DATA 
OPERAND 
OFFSET 


DATA 
OPERAND 
SEt 
ECTOR 


\{ 


SIGNIFICAND 
15-0 
+14 


SIGNIFICAND 
31-'6 
+16 


SIGNIFICANO 
47-32 
+18 


SIGNIFICANO 
63·48 
+20 


51 
EXPONENT 
14-0 
+22 


L 


StGNIFICAND 
1S-0 
+24 


SIGNIFICAND 
31·16 
+2. 


I 
StGNIFICAND 
47-32 
+28 


SIGNIFICAND 
63-48 
+30 


EXPONENT 
14-0 
+32 
~{ 


SIGNIFICANO 
15-0 
+8' 


SIGNIFICAND 
31·16 
+8. 


SIGNIFICAND 
47-32 
+88 


StGNIFICAND 
63-48 
+90 


51 
EXPONENT 
14-0 
+92 


NOTES: 
5 = Sign 
Bit a 01 each field is rightmost. 
least significanl 
bit of corresponding 
register 
field. 


Bit 63 ot signilicand 
is integer 
bit (assumed 
binary point is immediately 


to the right). 


FSA VE checks for unmasked 
numeric 
errors before executing, 
FNSA VE does not. An FW AIT should 


be executed 
before CPU interrupts 
are enabled 
or any subsequent 
80287 instruction 
is executed. 
Other 


CPU instructions 
may be executed 
between 
the FNSA VE/FSA 
VE and the FWAIT. 


FRSTOR 
(restore state) reloads the 80287 from the 94-byte memory area defined by the source operand. 
This information 
should have been written 
by a previous 
FSAVE/FNSAVE 
instruction 
and not altered 


by any other instruction. 
An FW AIT is not required 
after FRSTOR. 
FRS TOR will automatically 
wait 
and check for interrupts 
until all data transfers 
are completed 
before continuing 
to the next instruction. 


Note that the 80287 "reacts" 
to its new state at the conclusion 
of the FRSTOR; 
it will, for example, 
generate 
an exception 
request 
if the exception 
and mask bits in the memory 
image 
so indicate 
when 
the next WAIT 
or error-checking-ESC 
instruction 
is executed. 


FSTENV /FNSTENV 
(store environment) writes the 80287's basic status-control, 
status, and tag 


words, and exception pointers-to 
the memory location defined by the destination operand. Typically, 
the environment is saved on the CPU stack. FSTENV /FNSTENV 
is often used by exception handlers 
because it provides access to the exception pointers that identify the offending instruction and operand. 
After saving the environment, FSTENV /FNSTENV sets all exception masks in the processor. FSTENV 
checks for pending errors before executing, FNSTENV does not. 


Figure 2-2 shows the format of the environment data in memory. FNSTENV 
does not store the 
environment until all NPX activity has completed. Thus, the data saved by the instruction reflects the 
80287 after any previously decoded instruction has been executed. After writing the environment image 
to memory, FNSTENV /FSTENV initializes the 80287 state as if FNINIT /FINIT had been executed. 


FSTENV /FNSTENV 
must be allowed to complete before any other 80287 instruction is decoded. 
When FSTENV is coded, an explicit FWAIT, or assembler-generated WAIT, should precede any 
subsequent 80287 instruction. 


CONTROL 
WORD 


STATUS 
WORD 


TAG WORD 


INSTRUCTION 
POINTER 
(15-0) 


INSTRUCTION 
,)1 I 
INSTRUCTION 


POINTER 
(19-16) 
0 
OPCODE 
(10-0) 


DATA POINTER 
(15-0) 


DATA POINTER I 
0 
(19-16) 


CONTROL 
WORD 


STATUS 
WORD 


TAG WORD 


IPOFFSET 


CSSELECTOR 


DATA OPERAND 
OFFSET 


DATA OPERAND 
SELECTOR 


FLDENV (load environment) reloads the environment from the memory area defined by the source 
operand. This data should have been written by a previous FSTENV /FNSTENV 
instruction. CPU 


instructions (that do not reference the environment image) may immediately follow FLDENV. An 
FWAIT is not required after FLDENV. FLDENV will automatically wait for all data transfers to 
complete before executing the next instruction. 


Note that loading an environment image that contains an unmasked exception will cause a numeric 
exception when the next WAIT or error-checking-ESC instruction is executed. 


FINCSTP (increment stack pointer) adds 1 to the stack top pointer (ST) in the status word. It does 
not alter tags or register contents, nor does it transfer data. It is not equivalent to popping the stack, 
because it does not set the tag of the previous stack top to empty. Incrementing the stack pointer when 
ST=7 
produces ST=O. 


FDECSTP (decrement stack pointer) subtracts I from ST, the stack top pointer in the status word. 
No tags or registers are altered, nor is any data transferred. Executing FDECSTP when ST=O produces 
ST=7. 


FFREE (free register) changes the destination register's tag to empty; the content of the register is 
unaffected. 


FNOP (no operation) stores the stack top to the stack top (FST ST,ST(O» and thus effectively performs 
no operation. 


FWAIT is not actually an 80287 instruction, but an alternate mnemonic for the CPU WAIT instruc- 
tion. The FWAIT or WAIT mnemonic should be coded whenever the programmer wants to synchro- 
nize the CPU to the NPX, that is, to suspend further instruction decoding until the NPX has completed 
the current instruction. FWAIT will check for unmasked numeric exceptions. 


NOTE 


A CPU instruction should not attempt to access a memory operand until the 80287 instruc- 
tion has completed. For example, the following coding shows how FWAIT can be used to 
force the CPU instruction to wait for the 80287: 


F 1ST 
F WA I T 
MOV 


VALUE 


j 
Walt 
for 
FIST 
to 
complete 
AX,VALUE 


More information on when to code an FWAIT instruction is given in a following section of this chapter, 
"Concurrent Processing with the 80287." 


Table 2-14 later in this chapter lists the operating characteristics of all the 80287 instructions. There 
is one table entry for each instruction mnemonic; the entries are in alphabetical order for quick lookup. 
Each entry provides the general operand forms accepted by the instruction as well as a list of all 
exceptions that may be detected during the operation. 


One entry exists for each combination of operand types that can be coded with the mnemonic. Table 
2-12 explains the operand identifiers allowed in table 2-14. Following this entry are columns that provide 
execution time in clocks, the number of bus transfers run during the operation, the length of the 
instruction in bytes, and an ASM286 coding sample. 


The execution of an 80287 instruction involves three principal activities, each of which may contribute 
to the overall execution time of.the instruction: 


• 
80286 CPU overhead involved in handling the ESC instruction opcode and setting up the 80287 
NPX 


• 
Instruction execution by the 80287 NPX 


• 
Operand transfers between the 80287 NPX and memory or a CPU register 


The timing of these various activities is affected by the individual clock frequencies of the 80286 CPU 
and the 80287 NPX. In addition, slow memories requiring the insertion of wait states in bus cycles, 
and bus contention due to other processors in the system, may lengthen operand transfer times. 


In calculating an overall execution time for an individual numeric instruction, analysts must take each 
of these activities into account. In most cases, it can be assumed that the numeric instructions have 
already been prefetched by the 80286 and are awaiting execution. 


• 
The CPU overhead in handling the ESC instruction opcode takes only a single CPU bus cycle 
before the 80287 begins its execution of the numeric instruction. The timing of this bus cycle is 
determined by the CPU clock. Additional CPU activity is required to set up the 80287's instruction 
and data pointer registers, but this activity occurs after the 80287 has begun executing its instruc- 
tion, and so this parallel activity does not affect total execution time. 


)C 
Identifier 
Explanation 


ST 
Stack top; the register 
currently 
at the top of the stack. 


ST(i) 
A register 
in the stack i (0:::;i:::;7) stack elements 
from the 
top. 
ST(1) is the 
next-on-stack 
register, 
ST(2) 
is below 
ST(1), etc. 


Short-real 
A short real (32 bits) number 
in memory. 


Long-real 
A long real (64 bits) number 
in memory. 


Temp-real 
A temporary 
real (80 bits) number 
in memory. 


Packed-decimal 
A packed 
decimal 
integer 
(18 digits, 
10 bytes) in memory. 


Word-integer 
A word 
binary 
integer 
(16 bits) in memory. 


Short-integer 
A short binary 
integer 
(32 bits) in memory. 


Long-integer 
A long binary integer 
(64 bits) in memory. 


nn-bytes 
A memory 
area nn bytes long. 


• 
The duration of individual numeric instructions executing on the 80287 varies for each instruction. 
Table 2-14 quotes a typical execution clock count and a range for each 80287 instruction. Dividing 
the figures in the table by 5 (for a 5-MHz 80287 NPX clock) produces an execution time in micro- 
seconds. The typical case is an estimate for operand values that normally characterize most appli- 
cations. The range encompasses 'best- and worst-case operand values that may be found in extreme 
circumstances. 


• 
The operand transfer time required to transfer operands between the 80287 and memory or a CPU 
register depends on the number of words to be transferred, the frequency of the CPU clock control- 
ling bus timing, the number of wait states added to accommodate slower memories, and whether 
operands are based at even or odd memory addresses. Some (small) additional number of bus cycles 
may also be lost due to the asynchronous nature of the PEREQ/PEACK 
handshaking between the 


80286 and 80287, and this interaction varies with relative frequencies of the CPU and NPX clocks. 


The execution clock counts for the NPX execution of instructions shown in table 2-14 assume that no 
exceptions are detected during execution. Invalid operation, denormalized operand (unmasked), and 
zero divide exceptions usually decrease execution time from the typical figure, but execution still falls 
within the indicated range. The precision exception has no effect on execution time. Unmasked overflow 
and underflow, and masked denormalized exceptions impose additional execution penalties as shown 
in table 2-13. Absolute worst-case execution times are therefore the high range figure plus the largest 
penalty that may be encountered. 


NPX instructions that reference memory require bus cycles to transfer operands between the NPX and 
memory. The actual number of transfers depends on the length of the operand and the alignment of 
the operand in memory. In table 2-14, the first figure gives execution clocks for even-addressed operands, 
while the second gives the clock count for odd-addressed operands. 


For operands aligned at word boundaries, that is, based at even memory addresses, each word to be 
transferred requires one bus cycle between the 80286 data channel and memory, and one bus cycle to 
the NPX. For operands based at odd memory addresses, each word transfer requires two bus cycles to 
transfer individual bytes between the 80286 data channel and memory, and one bus cycle to the NPX. 


NOTE 


For best performance, operands for the 80287 should be aligned along word boundaries; that 
is, based at even memory addresses. Operands based at odd memory addresses are transferred 
to memory essentially byte-at-a-time and may take half again as long to transfer as word- 
aligned operands. 


Additional transfer time is required if slow memories are being used, requiring the insertion of wait 
states into the CPU bus cycle. In multiprocessor environments, the bus may not be available immedi- 
ately; this overhead can also increase effective transfer time. 


Exception 
Additional 
Clocks 


Overflow(unmasked) 
14 
Underflow(unmasked) 
16 
j 


Denormalized(masked) 
33 


80287 instructions that do not reference memory are two bytes long. Memory reference instructions 
vary between two and four bytes. The third and fourth bytes are for the 8- or 16-bit displacement 
values used in conjunction with the standard 80286 memory-addressing modes. 


Note that the lengths quoted in table 2-14 for the processor control instructions (FNINIT, FNSTCW, 
FNSTSW, FNSTSW AX, FNCLEX, FNSTENV, and FNSA VE) do not include the one-byte CPU 
wait instruction inserted by the ASM286 assembler if the control instruction is coded using the wait 
form of the mnemonic (e.g. FINIT, FSTCW, FSTSW, FSTSW AX, FCLEX, FSTENV, and FSAVE). 
wait and no-wait forms of the processor control instructions have been described in the preceding section 
titled "Processor Control Instructions." 


FABS 
FABS (no operands) 
Exceptions: 
I 
Absolute 
value 


Execution 
Clocks 


Operands 
Operand 
Word 
Code 
Coding 
Example 


Typical 
Range 
Transfers 
Bytes 


(no operands) 
14 
10-17 
0 
2 
FABS 


FADD 
FADD / /source/destination,source 
Exceptions: 
I, D, 0, U, P 
Add real 


Execution 
Clocks 


Operands 
Operand 
Word 
Code 
Coding 
Example 
. 


Typical 
Range 
Transfers 
Bytes 


/ /ST,ST(i)/ST(i),ST 
85 
70-100 
0 
2 
FADD 
ST,ST(4) 


short-real 
105 
90-120 
2 
2-4 
FADD 
AIR_TEMP 
[SI] 
long-real 
110 
95-125 
4 
2-4 
FADD 
[BX].MEAN 


FADDP 
FADDP destination, 
source 
Exceptions: 
I, D, 0, U, P 
Add real and pop 


Execution 
Clocks 


Operands 
Operand 
Word 
Code 
Coding 
Example 


Typical 
Range 
Transfers 
Bytes 


ST(i),ST 
90 
75-105 
0 
2 
FADDP 
ST(2),ST 


FBLD 
FBLD source 
Packed 
decimal 
(BCD) load 
Exceptions: 
I 


Execution 
Clocks 
~ 


Operands 
Operand 
Word 
Code 
Coding 
Example 


i 


Typical 
Range 
Transfers 
Bytes 
: 


packed-decimal 
300 
290-310 
5 
2-4 
FBLD 
YTD_SALES 


inter 


FBSTP 
FBSTP destination 
Exceptions: 
I 
Packed 
decimal 
(BCD) store and pop 


Execution 
Clocks 


Operands 
Operand 
Word 
Code 
Coding 
Example 
Typical 
Range 
Transfers 
Bytes 


packed-decimal 
530 
520-540 
5 
2-4 
FBSTP 
[BX].FORECAST 


FCHS 
FCHS (no operands) 
Exceptions: 
I 
Change 
sign 


Execution 
Clocks 


Operands 
Operand 
Word 
Code 
Coding 
Example 
Typical 
Range 
Transfers 
Bytes 


(no operands) 
15 
10-17 
0 
2 
FCHS 


FCLEX/FNCLEX 
FCLEX/FNCLEX(no 
operands) 
Exceptions: 
None 
Clear exceptions 


Execution 
Clocks 


Operands 
Operand 
Word 
Code 
Coding 
Example 
Typical 
Range 
Transfers 
Bytes 


(no operands) 
5 
2-8 
0 
2 
FNCLEX 
, 
,. f 


FCOM 
FCOM ffsource 
Exceptions: 
I, D 
Compare 
real 


Execution 
Clocks 


Operands 
Operand 
Word 
Code 
Coding 
Example 
Typical 
Range 
Transfers 
Bytes 


ffST(i) 
45 
40-50 
0 
2 
FCOM 
ST(1) 


short-real 
65 
60-70 
2 
2-4 
FCOM 
[BP].UPPER_L1MIT 


long-real 
- 
70 
65-75 
4 
2-4 
FCOM 
WAVELENGTH 


FCOMP 
FCOMP f fsource 
Exceptions: 
I, D 
Compare 
real and pop 


Execution 
Clocks 


Operands 
Operand 
Word 
Code 
Coding 
Example 
Typical 
Range 
Transfers 
Bytes 


ffST(i) 
47 
42-52 
0 
2 
FCOMP 
ST(2) 


short-real 
68 
63-73 
2 
2-4 
FCOMP 
[BP + 2].N_READINGS 
long-real 
72 
67-77 
4 
2-4 
FCOMP 
DENSITY 


inter 


FCOMPP 
FCOMPP (no operands) 
Exceptions; 
I, 0 
Compare 
real and pop twice 


Execution 
Clocks 


Operands 
Operand 
Word 
Code 
Coding 
Example 
Typical 
Range 
Transfers 
Bytes 


(no operands) 
50 
45-55 
0 
2 
FCOMPP 


FDECSTP 
FDECSTP (no operands) 
Exceptions: 
None 
Decrement 
stack pointer 


Execution 
Clocks 


Operands 
Operand 
Word 
Code 
Coding 
Example 
Typical 
Range 
Transfers 
Bytes 


(no operands) 
9 
6-12 
-0 
2 
FDECSTP 


FDIV 
FDIV j jsourcejdestination,source 
Exceptions: 
I, 0, Z, 0, U, P 
Divide real 


Execution 
Clocks 


Operands 
Operand 
Word 
Code 
Coding 
Example 
Typical 
Range 
Transfers 
Bytes 


jjST(i),ST 
198 
193-203 
0 
2 
FDIV 


short-real 
220 
215-225 
2 
2-4 
FDIV 
DISTANCE 


long-real 
225 
220-230 
4 
2-4 
FDIV 
ARC [01] 


FDIVP 
FDIVP destination, 
source 
Exceptions: 
I,D, 
Z, 0, U, P 
Divide real and pop 


Execution 
Clocks 


Operands 
Operand 
Word 
Code 
Coding 
Example 


Typical 
Range 
Transfers 
Bytes 


ST(i),ST 
202 
197-207 
0 
2 
FDIVP 
ST(4),ST 


FDIVR 
FDIVR j jsourcejdestination, 
source 
Exceptions: 
I,D,Z,O,U,P 
Divide real reversed 


Execution 
Clocks 


Operands 
Operand 
Word 
Code 
Coding 
Example 
Typical 
Range 
Transfers 
Bytes 


j jST,ST(i)jST(i),ST 
199 
194-204 
0 
2 
FDIVR 
ST(2),ST 
short-real 
221 
216-226 
2 
2-4 
FDIVR 
[BX].PULSE_RATE 
long-real 
226 
221-231 
4 
2-4 
FDIVR 
RECORDER.FREQUENCY 


FDIVRP 
FDIVRP destination, 
source 
Exceptions: 
I, D, Z, 0, U, P 
Divide real reversed 
and pop 
. -- 
- 


Execution 
Clocks 


Operands 
Operand 
Word 
Code 
Coding 
Example 
Typical 
Range 
Transfers 
Bytes 


ST(i),ST 
203 
198-208 
0 
2 
FDIVRP 
ST(1 ),ST 


FFREE 
FFREE destination 
Exceptions: 
None 
Free register 
- 
- 
- 
- 


Execution 
Clocks 


Operands 
Operand 
Word 
Code 
Coding 
Example 
Typical 
Range 
Transfers 
Bytes 


- -- -- 


ST(i) 
11 
9-16 
0 
2 
FFREE 
ST(1) 


FIADD 
FIADD source 
Exceptions: 
I, D, 0, P 
Integer 
add 


Execution 
Clocks 


Operands 
Operand 
Word 
Code 
Coding 
Example 
Typical 
Range 
Transfers 
Bytes 


word-integer 
120 
102-137 
1 
2-4 
FIADD 
DIST ANCE_ TRAVELLED 


short-integer 
125 
108-143 
2 
2-4 
FIADD 
PULSE_COUNT 
[SI] 


FICOM 
FICOM source 
Exceptions: 
I, D 
Integer 
compare 


• 


Execution 
Clocks 


Operands 
Operand 
Word 
Code 
Coding 
Example 
Typical 
Range 
Transfers 
Bytes 


word-integer 
80 
72-86 
1 
2-4 
FICOM 
TOOL.N_PASSES 


short-integer 
85 
78-91 
2 
2-4 
FICOM 
[BP+4].PARM_COUNT 


FICOMP 
FICOMP source 
Exceptions: 
I, D 
Integer 
compare 
and pop 


Execution 
Clocks 


Operands 
Operand 
Word 
Code 
Coding 
Example 
Typical 
Range 
Transfers 
Bytes 


word-integer 
82 
74-88 
1 
2-4 
FICOMP 
[BP].L1MIT 
[SI] 


short-integer 
87 
80-93 
2 
2-4 
FICOMP 
N_SAMPLES 


FIDIV 
FIDIV source 
Exceptions: 
I, D, Z, 0, U, P 
Integer divide 


- 


Execution 
Clocks 


Operands 
Operand 
Word 
Code 
Coding 
Example 


Typical 
Range 
Transfers 
Bytes 


word-integer 
230 
224-238 
1 
2-4 
FIDIV 
SURVEY.OBSERVATIONS 
short-integer 
236 
230-243 
2 
2-4 
FIDIV 
RELATIVE.-ANGLE 
[DI] 


FIDIVR 
FIDIVR source 
Exceptions: 
I, D, Z, 0, U, P 
Integer divide 
reversed 


Execution 
Clocks 


Operands 
Operand 
Word 
Code 
Coding 
Example 


Typical 
Range 
Transfers 
Bytes 


word-integer 
230 
225-239 
1 
2-4 
FIDIVR 
[BP].X_COORD 
short-integer 
237 
231-245 
2 
2-4 
FIDIVR 
FREQUENCY 


FILD 
FILD source 
Exceptions: 
I 
Integer 
load 


~ 


Execution 
Clocks 


Operands 
Operand 
Word 
Code 
Coding 
Example 
Typical 
Range 
Transfers 
Bytes 


word-integer 
50 
46-54 
1 
2-4 
FILD 
[BX].SEQUENCE 
short-integer 
. 
56 
52-60 
2 
2-4 
FILD 
STANDOFF 
[DI] 
long-integer 
64 
60-68 
4 
2-4 
FILD 
RESPONSE.COUNT 


FIMUL 
FIMUL source 
Exceptions: 
I, D, 0, P 
Integer 
multiply 


Execution 
Clocks 


Operands 
Operand 
Word 
Code 
Coding 
Example 
Typical 
Range 
Transfers 
Bytes 


word-integer 
130 
124-138 
1 
2-4 
FIMUL 
BEARING 
short-integer 
136 
130-144 
2 
2-4 
FIMUL 
POSITION.Z_AXIS 


FINCSTP 
FINCSTP (no operands) 
Exceptions: 
None 
Increment 
stack pointer 


Execution 
Clocks 


Operands 
Operand 
Word 
Code 
Coding 
Example 
Typical 
Range 
Transfers 
Bytes 


(no operands) 
9 
6-12 
0 
2 
FINCSTP 


FINIT / FNINIT 
FINIT /FNINIT 
(no operands) 
Exceptions: 
None 
Initialize 
processor 


Execution 
Clocks 


Operands 
Operand 
Word 
Code 
Coding 
Example 
Typical 
Range 
Transfers 
Bytes 


r 


(no operands) 
5 
2-8 
0 
2 
FINIT 


FIST 
FIST destination 
Exceptions: 
I, P 
Integer store 


Execution 
Clocks 


Operands 
Operand 
Word 
Code 
Coding 
Example 
Typical 
Range 
Transfers 
Bytes 


word-integer 
86 
80-90 
1 
2-4 
FIST 
OBS.COUNT[SI] 


short-integer 
88 
82-92 
2 
2-4 
FIST 
[BP;].FACTORED_PULSES 


FISTP 
FISTP destination 
Exceptions: 
I, P 
Integer 
store and pop 


Execution 
Clocks 


Operands 
Operand 
Word 
Code 
Coding 
Example 
Typical 
Range 
Transfers 
Bytes 


word-integer 
88 
82-92 
1 
2-4 
FISTP 
[BX].ALPHA-COUNT 
[SI] 
short-integer 
90 
84-94 
2 
2-4 
FISTP 
CORRECTED_TIME 


long-integer 
100 
94-105 
4 
2-4 
FISTP 
PANEL.N_READINGS 


FISUB 
FISUB source 
Exceptions: 
I, D, 0, P 
Integer 
subtract 


Execution 
Clocks 


Operands 
Operand 
Word 
Code 
Coding 
Example 
Typical 
Range 
Transfers 
Bytes 


word-integer 
120 
102-137 
1 
2-4 
FISUB 
BASE_FREQUENCY 


short-integer 
125 
108-143 
2 
2-4 
FISUB 
TRAIN_SIZE 
[DI] 


FISUBR 
FISUBR source 
Exceptions: 
I, D, 0, P 
Integer 
subtract 
reversed 


Execution 
Clocks 


Operands 
Operand 
Word 
Code 
Coding 
Example 
Typical 
Range 
Transfers 
Bytes 


word-integer 
120 
103-139 
1 
2-4 
FI5UBR 
FLOOR 
[BX] [51] 


short-integer 
125 
109-144 
2 
2-4 
FISUBR 
BALANCE 


inter 


FLD 
FLD source 
Exceptions: 
I, D 
Load real 


Execution 
Clocks 


Operands 
Operand 
Word 
Code 
Coding 
Example 
Typical 
Range 
Transfers 
Bytes 


ST(i) 
20 
17-22 
0 
2 
FLD 
ST(O) 
short-real 
43 
38-56 
2 
2-4 
FLD 
READING 
[SI].PRESSURE 
long-real 
46 
40-60 
4 
2-4 
FLD 
[BP].TEMPERATURE 
temp-real 
57 
53-65 
5 
2-4 
FLD 
SAVEREADING 


FLDCW 
FLDCW source 
Exceptions: 
None 
Load control 
word 
c-: . 


Execution 
Clocks 


Operands 
Operand 
Word 
Code 
Coding 
Example 
Typical 
Range 
Transfers 
Bytes 


2-bytes 
10 
7-14 
1 
2-4 
FLDCW 
CONTROL-WORD 


FLDENV 
FLDENV source 
Exceptions: 
None 
Load environment 


Execution 
Clocks 


Operands 
Operand 
Word 
Code 
Coding 
Example 
Typical 
Range 
Transfers 
Bytes 


14-bytes 
40 
35-45 
7 
2-4 
FLDENV 
[BP + 6] 


FLDLG2 
FLDLG2 
(no operands) 
Exceptions: 
I 
Load IOg102 
i 


Execution 
Clocks 


Operands 
Operand 
Word 
Code 
Coding 
Example 


Typical 
Range 
Transfers 
Bytes 


(no operands) 
21 
18-24 
0 
2 
FLDLG2 


FLDLN2 
FLDLN2 
(no operands) 


Load loge2 
Exceptions: 
I 


Execution 
Clocks 


Operands 
Operand 
Word 
Code 
Coding 
Example 
Typical 
Range 
Transfers 
Bytes 


. 


(no operands) 
20 
17-23 
0 
2 
FLDLN2 


• 


FLDL2E 
FLOL2E (no operands) 
Exceptions: 
I 
Load 1092e 


Execution 
Clocks 


Operands 
Operand Word 
Code 
Coding Example 
Typical 
Range 
Transfers 
Bytes 


(no operands) 
18 
15-21 
0 
2 
FLDL2E 


FLDL2T 
FLOL2T (no operands) 
Exceptions: 
I 
Load 109210 


Execution 
Clocks 


Operands 
Operand Word 
Code 
Coding Example 
Typical 
Range 
Transfers 
Bytes 


(no operands) 
19 
16-22 
0 
2 
FLDL2T 


FLDPI 
FLOPI (no operands) 
Exceptions: 
I 
Load 7r 


Execution 
Clocks 


Operands 
Operand Word 
Code 
Coding Example 
Typical 
Range 
Transfers 
Bytes 


(no operands) 
19 
16-22 
0 
2 
FLDPI 


FLDZ 
FLOZ (no operands) 
Load +0.0 
Exceptions: 
I 


o· 


Execution 
Clocks 


Operands 
Operand Word 
Code 
Coding Example 
Typical 
Range 
Transfers 
Bytes 


(no operands) 
14 
11-17 
0 
2 
FLDZ 


FLD1 
FLO1 (no operands) 
Load +1.0 
Exceptions: 
I 


Execution 
Clocks 


Operands 
Operand Word 
Code 
Coding Example 
Typical 
Range 
Transfers 
Bytes 


(no operands) 
18 
15-21 
0 
2 
FLD1 


FMUL 
FMUL / /source/destination,source 
Exceptions: 
I, D, 0, U, P 
Multiply 
real 


Execution 
Clocks 


Operands 
Operand 
Word 
Code 
Coding 
Example 
Typical 
Range 
Transfers 
Bytes 


/ /ST(i),ST /ST,ST(ij1 
97 
90-105 
0 
2 
FMUL 
ST,ST(3) 


/ /ST(i),ST /ST,ST(i) 
138 
130-145 
0 
2 
FMUL 
ST,ST(3) 


short-real 
118 
110-125 
2 
2-4 
FMUL 
SPEED_FACTOR 


long-reaP 
120 
112-126 
4 
2-4 
FMUL 
[BP].HEIGHT 


long-real 
161 
154-168 
4 
2-4 
FMUL 
[BP].HEIGHT 


FMULP 
FMULP destination, 
source 
Exceptions: 
I, D, 0, U, P 
Multiply 
real and pop 


Execution 
Clocks 


Operands 
Operand 
Word 
Code 
Coditlg 
Example 
Typical 
Range 
Transfers 
Bytes 


ST(i),ST' 
100 
94-108 
0 
2 
FMULP 
ST(1),ST 


ST(i),ST 
142 
134-148 
0 
2 
FMULP 
ST(1),ST 


FNOP 
FNOP (no operands) 
Exceptions: 
None 
No operation 


Execution 
Clocks 


Operands 
Operand 
Word 
Code 
Coding 
Example 


Typical 
Range 
Transfers 
Bytes 


(no operands) 
13 
10-16 
0 
2 
FNOP 
! 


FPATAN 
FPATAN (no operands) 
Exceptions: 
U, P (operands 
not checked) 
Partial arctangent 


Execution 
Clocks 


Operands 
Operand 
Word 
Code 
Coding 
Example 


Typical 
Range 
Transfers 
Bytes 


(no operands) 
650 
250-800 
0 
2 
FPATAN 


FPREM 
FPREM (no operands) 
Partial remainder 
Exceptions: 
I, D, U 


Execution 
Clocks 


Operands 
Operand 
Word 
Code 
Coding 
Example 


Typical 
Range 
Transfers 
Bytes 


(no operands) 
125 
15-190 
0 
2 
FPREM 


'Occurs 
when one or both operands 
is "short"-it 
has 40 trailing 
zeros 
in its fraction 
(e.g., it was loaded 


from a short-real 
memory 
operand. 


inter 


FPTAN 
FPTAN (no operands) 
Exceptions: 
I, P (operands 
not checked) 
Partial tangent 


Execution 
Clocks 


Operands 
Operand Word 
Code 
Coding 
Example 
Typical 
Range 
Transfers 
Bytes 


(no operands) 
450 
30-540 
0 
2 
FPTAN 
. 
- - 


FRNDINT 
FRNDINT (no operands) 
Exceptions: 
I, P 
Round to integer 
- 
- 
- 


Execution 
Clocks 


Operands 
Operand Word 
Code 
Coding 
Example 
Typical 
Range 
Transfers 
Bytes 


(no operands) 
45 
16-50 
0 


c 
2 
FRNDINT 


FRSTOR 
FRSTOR source 
Exceptions: 
None 
Restore saved state 


Execution 
Clocks 


Operands 
Operand Word 
Code 
Coding 
Example 
Typical 
Range 
Transfers 
Bytes 


94-bytes 
. 
2 
47 
2-4 
FRSTOR 
[SPj 


FSAVE/FNSAVE 
FSAVE/FNSAVE 
destination 
Exceptions: 
None 
Save state 


I 


Execution 
Clocks 


Operands 
Operand Word 
Code 
Coding 
Example 
Typical 
Range 
Transfers 
Bytes 


94-bytes 
3 
47 
2-4 
FSAVE 
[SPj 


2The 80287 execution 
clock count for this instruction 
is not meaningful 
in determining 
overall 
instruction 


execution 
time. For typical frequency 
ratios of the 80286 and 80287 clocks, 
80287 execution 
occurs 
in 


parallel with the operand 
transfers, 
with the operand 
transfers 
determining 
the overall execution 
time of 


the instruction. 
For 80286:80287 
clock frequency 
ratios of 4:8, 1:1, and 8:5, the overall execution 
clock 


count for this instruction 
is estimated 
at 490, 302, and 227 80287 clocks, respectively. 


3The 80287 execution 
clock count for this instruction 
is not meaningful 
in determining 
overall instruction 


execution 
time. For typical frequency 
rations of the 80286 and 80287 clocks, 
80287 execution 
occurs 
in 
parallel with the operand 
transfers, 
with the operand 
transfers 
determining 
the overall execution 
time of 


the instruction. 
For 80286:80287 
clock frequency 
ratios of 4:8, 1:1, and 8:5, the overall execution 
clock 


count for this instruction 
is estimated 
at 376,233, 
and 17480287 
clocks, respectively. 


inter 


FSCALE 
FSCALE (no operands) 
Exceptions: 
I, 0, U 
Scale 


Execution 
Clocks 


Operands 
Operand Word 
Code 
Coding Example 


Typical 
Range 
Transfers 
Bytes 


(no operands) 
35 
32-38 
0 
2 
FSCALE 


FSETPM 
FSETPM (no operands) 
Exceptions: 
None 
Set protected 
mode 
, 


Execution 
Clocks 


Operands 
Operand Word 
Code 
Coding Example 


Typical 
Range 
Transfers 
Bytes 


(no operands) 
2-8 
0 
2 
FSETPM 


FSQRT 
FSQRT (no operands) 
Exceptions: 
I, 0, P 
Square 
root 


Execution 
Clocks 


Operands 
Operand Word 
Code 
Coding Example 
Typical 
Range 
Transfers 
Bytes 


(no operands) 
183 
180-186 
0 
2 
FSQRT 


FST 
FST destination 
Exceptions: 
1,0, U, P 
Store real 


Execution 
Clocks 


Operands 
Operand Word 
Code 
Coding Example 
Typical 
Range 
Transfers 
Bytes 


ST(i) 
18 
15-22 
0 
2 
FST 
ST(3) 
short-real 
87 
84-90 
2 
2-4 
FST 
CORRELATION 
[01) 
long-real 
100 
96-104 
4 
2-4 
FST 
MEAN_READING 


FSTCW/ 
FSTCW destination 
Exceptions: 
None 
FNSTCW 
Store control 
word 


Execution 
Clocks 


Operands 
Operand Word 
Code 
Coding Example 
Typical 
Range 
Transfers 
Bytes 


2-bytes 
15 
12-18 
1 
2-4 
FSTCW 
SAVE_CONTROL 


inter 


FSTENV/ 
FSTENV destination 
Exceptions: 
None 
FNSTENV 
Store environment 


Execution 
Clocks 


Operands 
Operand 
Word 
Code 
Coding 
Example 
Typical 
Range 
Transfers 
Bytes 


14-bytes 
45 
40-50 
7 
2-4 
FSTENV 
[BP] 


FSTP 
FSTP destination 
Exceptions: 
I, 0, U, P 
Store real and pop 


- 
- - 
Execution 
Clocks 


Operands 
Operand 
Word 
Code 
Coding 
Example 
Typical 
Range 
Transfers 
Bytes 


ST(i) 
20 
17-24 
0 
2 
FSTP 
ST(2) 


short-real 
89 
86-92 
2 
2-4 
FSTP 
[BX].ADJUSTED_RPM 


long-real 
,. 
102 
98-106 
4 
2-4 
FSTP 
TOTAL_DOSAGE 


temp-real 
55 
52-58 
5 
2-4 
FSTP 
REG_SAVE 
[SI] 


cc 


FSTSW/ 
FSTSW destination 
Exceptions: 
None 
FNSTSW 
Store status word 
., 
> 
.' 
- - 
~ 


Execution 
Clocks 


Operands 
Operand 
Word 
Code 
Coding 
Example 
Typical 
Range 
Transfers 
Bytes 


,c. 


2-bytes 
15 
12-18 
1 
2-4 
FSTSW 
SAVE_STATUS 
. 
- 


FSTSW 
AX/ 
FSTSW AX 
Exceptions: 
None 
FNSTSWAX 
Store status word to AX 


Execution 
Clocks 


Operands 
Operand 
Word 
Code 
Coding 
Example 
Typical 
Range 
Transfers 
Bytes 


AX 
10-16 
1 
2 
FSTSW 
AX 


FSUB 
FSUB j jsourcejdestination,source 
Exceptions: 
1,0,0, U, P 
Subtract 
real 


Execution 
Clocks 


Operands 
Operand 
Word 
Code 
Coding 
Example 
Typical 
Range 
Transfers 
Bytes 


j 1ST ,ST(i)/ST(i),ST 
85 
70-100 
0 
2 
FSUB 
ST,ST(2) 


short-real 
105 
90-120 
2 
2-4 
FSUB 
BASE_VALUE 


long-real 
110 
95-125 
4 
2-4 
FSUB 
COORDINATE.X 


FSUBP 
FSUBP destination, 
source 
Exceptions; 
I, D, 0, U, P 
Subtract 
real and pop 


Execution 
Clocks 


Operands 
Operand 
Word 
Code 
Coding 
Example 
Typical 
Range 
Transfers 
Bytes 


ST(i),ST 
90 
75-105 
0 
2 
FSUBP 
ST(2),ST 


FSUBR 
FSUBR j jsourcejdestination, 
source 
Exceptions; 
I, 0, 0, U, P 
Subtract 
real reversed 
- . 


Execution 
Clocks 


Operands 
Operand 
Word 
Code 
Coding 
Example 
Typical 
Range 
Transfers 
Bytes 


j jST,ST(i)jST(i),ST 
87 
70-100 
0 
2 
FSUBR 
ST,ST(1) 


short-real 
105 
90-120 
2 
2-4 
FSUBR 
VECTOR[Slj 


long-real 
110 
95-125 
4 
2-4 
FSUBR 
[BXj.lNDEX 


FSUBRP 
FSUBRP destination, 
source 
Exceptions: 
I, D, 0, U, P 
Subtract 
real reversed 
and pop 


. 


Execution 
Clocks 


Operands 
Operand 
Word 
Code 
Coding 
Example 
Typical 
Range 
Transfers 
Bytes 


- ,.,-- 


ST(i),ST 
90 
75-105 
0 
2 
FSUBRP 
ST(1),ST 
. 
- 
- 


FTST 
FTST (no operands) 
Exceptions; 
I, D 
, 


Test stack top against 
+0.0 


Execution 
Clocks 


Operands 
Operand 
Word 
Code 
Coding 
Example 
Typical 
Range 
Transfers 
Bytes 


(no operands) 
42 
38-48 
0 
2 
FTST 


FWAIT 
FWAIT (no operands) 
Exceptions: 
None (CPU instruction) 
(CPU) Wait while 80287 is busy 


Execution 
Clocks 


Operands 
Operand 
Word 
Code 
Coding 
Example 


Typical 
Range 
Transfers 
Bytes 


(no operands) 
3+5n- 
3+5n4 
0 
1 
FWAIT 


FXAM 
FXAM (no operands) 
Exceptions: 
None 
Examine 
stack top 


. 
- 


Execution 
Clocks 


Operands 
Operand 
Word 
Code 
Coding 
Example 
Typical 
Range 
Transfers 
Bytes 


(no operands) 
17 
12-23 
0 
2 
FXAM 


FXCH 
FXCH j jdestination 
Exceptions: 
I 
Exchange 
registers 


Execution 
Clocks 


Operands 
Operand. Word 
Code 
Coding 
Example 
Typical 
Range 
Transfers 
Bytes 


jjST(i) 
12 
10-15 
0 
2 
FXCH 
ST(2) 


FXTRACT 
FXTRACT (no operands) 
Exceptions: 
I 
Extract 
exponent 
and significant 


Execution 
Clocks 


Operands 
Operand 
Word 
Code 
Coding 
Example 
Typical 
Range 
Transfers 
Bytes 


(no operands) 
50 
27-55 
0 
2 
FXTRACT 


- 


FYL2X 
FYL2X (no operands) 
Exceptions: 
P (operands 
not checked) 
yo Log2X 


Execution 
Clocks 


Operands 
Operand 
Word 
Code 
Coding 
Example 
Typical 
Range 
Transfers 
Bytes 


(no operands) 
950 
900-1100 
0 
2 
FYL2X 


FYL2XP1 
FYL2XP1 
(no operands) 
Exceptions: 
P (operands 
not checked) 
Y o10g2(X + 1) 


Execution 
Clocks 


Operands 
Operand 
Word 
Code 
Coding 
Example 
Typical 
Range 
Transfers 
Bytes 


(no operands) 
850 
700-1000 
0 
2 
FYL2XP1 


inter 


F2XM1 
F2XM1 (no operands) 
Exceptions: 
U, P (operands 
not checked) 
2x-1 


Execution 
Clocks 


Operands 
Operand Word 
Code 
Coding Example 
Typical 
Range 
Transfers 
Bytes 
, 


(no operands) 
500 
310-630 
0 
2 
F2XM1 
-. 


As described previously, the 80287 NPX is programmed simply as an extension of the 80286 CPU. 
This section describes"how programmers in ASM286 and in a variety of higher-level languages can 
work with the 80287. 


The level of detail in this section is intended to give programmers a basic understanding of the software 
tools that can be used with the 80287, but this information does not document the full capabilities of 
these facilities. For a complete list of documentation on all the languages available for iAPX 286 
systems, readers should consult Intel's Literature Guide. 


For programmers using high-level languages, the programming and operation of the NPX is handled 
automatically by the compiler. A variety of Intel high-level languages are available that automatically 
make use of the 80287 NPX when appropriate. These languages include 


PL/M-286 
FORTRAN-286 
PASCAL-286 
C-286 


Each of these high-level languages has special numeric libraries allowin"gprograms to take advantage 
of the capabilities of the 80287 NPX. No special programming conventions are necessary to make use 
of the 80287 NPX when programming numeric applications in any of these languages. 


Programmers in PL/M-286 and ASM286 can also make use of many of these library routines by using 
routines contained in the 80287 Support Library, described in the 80287 Support Library Reference 
Manual, Order Number 122129. These library routines provide many of the functions provided by 
higher-level languages, including exception handlers, ASCII-to-f1oating-point conversions, and a more 
complete set of transcendental functions than that provided"by the 80287 instruction set. 


Programmers in PL/M-286 can access a very useful subset of the 80287's numeric capabilities. The 
PL/M-286 REAL data type corresponds to the NPX's short real (32-bit) format. This data type provides 
a range of about 8.43* 10-37 ::5ABS(X) ::5 3.38* 1038, with about seven significant decimal digits. This 
representation is adequate for the data manipulated by many microcomputer applications. 


inter 


The utility of the REAL 
data type is extended 
by the PL/M-286 
compiler's 
practice 
of holding 
inter- 


mediate 
results 
in the 80287's 
temporary 
real format. 
This means that the full range and precision 
of 


the processor 
are utilized 
for intermediate 
results. 
Underflow, 
overflow, 
and rounding 
errors are most 


likely to occur during intermediate 
computations 
rather 
than during calculation 
of an expression's 
final 


result. Holding 
intermediate 
results in temporary 
real format 
greatly 
reduces 
the likelihood 
of overflow 


and underflow 
and eliminates 
roundoff 
as a serious source 
of error 
until the final assignment 
of the 


result is performed. 


The compiler 
generates 
80287 code to evaluate 
expressions 
that 
contain 
REAL 
data 
types, 
whether 


variables 
or constants 
or both. This means that addition, 
subtraction, 
multiplication, 
division, compar- 


ison, and assignment 
of REALs 
will be performed 
by the NPX. 
INTEGER 
expressions, 
on the other 


hand, are evaluated 
on the CPU. 


Five built-in procedures 
(table 2-15) give the PL/M-286 
programmer 
access to 80287 functions 
manip- 


ulated 
by the processor 
control 
instructions. 
Prior to any arithmetic 
operations, 
a typical 
PL/M-286 


program 
will set up the NPX 
after 
power up using the INIT$REAL$MATH$UNIT 
procedure 
and 


then issue SET$REAL$MODE 
to configure 
the NPX. 
SET$REAL$MODE 
loads the 80287 control 


word, and its l6-bit 
parameter 
has the format 
shown in figure 
1-5. The recommended 
value of this 


parameter 
is 033EH 
(projective 
closure, round to nearest, 
64-bit precision, all exceptions 
masked 
except 


invalid operation). 
Other 
settings 
may be used at the programmer's 
discretion. 


If any exceptions 
are unmasked, 
an exception 
handler 
must 
be provided 
in the form of an interrupt 
procedure 
that 
is designated 
to be invoked 
by CPU 
interrupt 
pointer 
(vector) 
number 
16. The excep- 


tion handler 
can use the GET$REAL$ERROR 
procedure 
to obtain 
the low-order 
byte of the 80287 
status word and to then clear the exception 
flags. The byte returned 
by GET$REAL$ERROR 
contains 
the exception 
flags; these can be examined 
to determine 
the source of the exception. 


The SA VE$REAL$ST 
ATUS 
and RESTORE$REAL$ST 
ATUS 
procedures 
are provided 
for multi- 


tasking 
environments 
where a running 
task that uses the 80287 may be preempted 
by another 
task that 


also uses the 80287. 
It is the responsibility 
of the preempting 
task to issue SAVE$REAL$STATUS 


before it executes 
any statements 
that affect the 80287; these include the INIT$REAL$MATH$UNIT 


and SET$REAL$MODE 
procedures 
as well as arithmetic 
expressions. 
SA VE$REAL$ST 
ATUS 
saves 
the 
80287 
state 
(registers, 
status, 
and 
control 
words, 
etc.) 
on 
the 
CPU's 
stack. 
RESTORE$REAL$ST 
ATUS 
reloads 
the state 
information; 
the preempting 
task 
must 
invoke 
this 
procedure 
before terminating 
in order to restore the 80287 to its state at the time the running 
task was 
preempted. 
This enables 
the preempted 
task to resume 
execution 
from the point of its preemption. 


Procedure 
80287 
Instruction 
Description 


INIT$REAL$MATH$UNIT(1) 
FINIT 
Initialize processor. 


SET$REAL$MODE 
FLDCW 
Set 
exception 
masks, 
rounding 
precision, and infinity controls. 


GET$REAL$ERROR(2) 
FNSTSW & FNCLEX 
Store, then clear, exception 
flags. 


SAVE$REAL$STATUS 
FNSAVE 
Save processor 
state. 


RESTORE$REAL$STATUS 
FRSTOR 
Restore 
processor 
state. 


{llAlsoinitializes interrupt pointers for emulation. 
{2lReturns low-order byte of status word. 


The ASM286 assembly language provides programmmers with complete access to all of the facilities 
of the 80286 and 80287 processors. 


160 instructions 


12 data types 


8 general registers 


4 segment registers 


8 floating-point registers, organized as a stack 


The ASM286 directives shown in table 2-16 allocate storage for 80287 variables and censtants. As 
with other storage allocation directives, the assembler associates a type with any variable defined with 
these directives. The type value is equal to the length of the storage unit in bytes (10 for DT, 8 for 
DQ, etc.). The assembler checks the type of any variable coded in an instruction to be certain that it 
is compatible with the instruction. For example, the coding FIADD ALPHA will be flagged as an 
error if ALPHA's type is not 2 or 4, because integer addition is only available for word and short 
integer data types. The operand's type also tells the assembler which machine instruction to produce; 
although to the programmer there is only an FIADD instruction, a different machine instruction is 
required for each operand type. 


On occasion it is desirable to use an instruction with an operand that has no declared type. For example, 
if register BX points to a short integer variable, a programmer may want to code FIADD [BX]. This 
can be done by informing the assembler of the operand's type in the instruction, coding FIADD DWORD 
PTR [BX]. The corresponding overrides for the other storage allocations are WORD PTR, QWORD 
PTR, and TBYTE PTR. 


The assembler does not, however, check the types of operands used in processor control instructions. 
Coding FRSTOR [BP] implies that the programmer has set up register BP to point to the stack location 
where the processor's 94-byte state record has been previously saved. 


The initial values for 80287 constants may be coded in several different ways. Binary integer constants 
may be specified as bit strings, decimal integers, octal integers, or hexadecimal strings. Packed decimal 
values are normally written as decimal integers, although the assembler will accept and convert other 
representations of integers. Real values may be written as ordinary decimal real numbers (decimal 
point required), as decimal numbers in scientific notation, or as hexadecimal strings. Using hexadecimal 
strings is primarily intended for defining special values such as infinities, NaNs, and nonnormalized 


Directive 
Interpretation 
Data Types 


OW 
Define Word 
Word integer 


DD 
Define Doubleword 
Short integer, 
short real 


DQ 
Define Quadword 
Long integer, 
long real 


DT 
Define Tenbyte 
Packed decimal, 
temporary 
real 


numbers. Most programmers will find that ordinary decimal and scientific decimal provide the simplest 
way to initialize 80287 constants. Figure 2-3 compares several ways of setting the various 80287 data 
types to the same initial value. 


Note that preceding 80287 variables and constants with the ASM286 EVEN directive ensures that the 
operands will be word-aligned in memory. This will produce the best system performance. All 80287 
data types occupy integral numbers of words so that no storage is "wasted" if blocks of variables are 
defined together and preceded by a single EVEN declarative. 


The ASM286 RECORD and STRUC (structure) declaratives can be very useful in NPX program- 
ming. The record facility can be used to define the bit fields of the control, status, and tag words. 
Figure 2-4 shows one definition of the status word and how it might be used in a routine that polls the 
80287 until it has completed an instruction. 


Because STRUCtures allow different but related data types to be grouped together, they often provide 
a natural way to represent "real world" data organizations. The fact that the structure template may 
be "moved" about in memory adds to its flexibility. Figure 2-5 shows a simple structure that might be 
used to represent data consisting of a series of test score samples. A structure could also be used to 
define the organization of the information stored and loaded by the FSTENV and FLDENV instructions. 


80287 memory data can be accessed with any of the CPU's five memory addressing modes. This means 
that 80287 data types can be incorporated in data aggregates ranging from simple to complex accord- 
ing to the needs of the application. The addressing modes, and the ASM286 notation used to specify 
them in instructions, make the accessing of structures, arrays, arrays of structures, and other organi- 
zations direct and straightforward. Table 2-17 gives several examples of 80287 instructions coded with 
operands that illustrate different addressing modes. 


THE 
FOLLOWING 
ALL 
ALLOCATE 
THE 
CONSTANT: 
-126 


NOTE 
TWO'S 
COMPLETE 
STORAGE 
OF 
NEGATIVE 
BINARY 
INTEGERS. 


EVEN 
WORD_I 
NTEGER 


SHORT_I 
NTEGER 


FORCE 
WORD 
ALIGNMENT 
BIT 
STRING 
HEX 
STRING 
MUST 
START 
WITH 
DIGIT 


LONG 
INTEGER 
DQ 
-126 
ORDINARY 
DECIMAL 


SHORT_REAL 
DD 
-126.0 
NOTE 
PRESENCE 
OF 
' 
, 


LONG_REAL 
DD 
-1.26E2 
"SCIENTIFIC" 


PACKED_DECIMAL 
DT 
-126 
ORDINARY 
DECIMAL 
INTEGER 


IN 
THE 
FOLLOWING, 
SIGN 
AND 
EXPONENT 
IS 
'COOS' 


SIGNIFICAND 
IS 
'7EOO 
... 
OO', 
'R' 
INFORMS 
ASSEMBLER 
THAT 


THE 
STRING 
REPRESENTS 
A 
R~AL 
DATA 
TYPE. 


111111111000010B 
OFFFFFF82H 


j 
RESERVE 
SPACE 
FOR 
STATUS 
WORD 


STATUS_WORD 


j 
LAY 
OUT 
STATUS 
WORD 
FIELDS 


STATUS 
RECORD 


'BUSY: 
" 


'COHD_CODE3: 
" 


, 
STACK 
TOP: 
3, 


'COHD_CODE2: 
" 


, 
COHD_CODE': 
" 


, 
COHD 
CODED: 
" 


, 
IHT 
REG: 
" 


'RESERVED: 
" 


, 
P 
FlAG: 
" 


'U_FLAG: 
" 


'O_FLAG: 
" 


'Z_FLAG: 
" 


& 
D_FLAG: 
" 


& 
I_FLAG: 
, 


POLL 
STATUS 
WORD 
UHTIL 
80287 
IS 
HOT 
BUSY 


POLL: 
FHSTSW 
STATUS_WORD 


TEST 
STATUS_WORD, 
MASK 
BUSY 
JHZ 
POLL 


H_OBS 
MEAH 
MODE 
STD_DEV 
; 
ARRAY 
OF 


TEST_SCORES 


SAMPLE 
EHDS 


DD 
SHORT 
IHTEGER 
DG 
LOHG 
REAL 
DW 
WORD 
IHTEGER 
DG 
LOHG 
REAL 
OBSERVATIOHS 
-- 
WORD 
INTEGER 
DW 
'000 
DUP 
(?) 


Coding 
Interpretation 


FIADD 
ALPHA 
ALPHA 
is a simple 
scalar (mode 
is direct). 


FDIVR 
ALPHA.BETA 
BET A is a field 
in a structure 
that 
is 
"overlaid" 
on ALPHA 
(mode is direct). 


FMUL 
aWORD 
PTR [BX] 
BX contains 
the 
address 
of 
a long 
real 


variable 
(mode is register 
indirect). 


F5UB 
ALPHA 
[51] 
ALPHA 
is an array 
and 
51 contains 
the 


offset 
of an array element 
from the start of 


the array (mode is indexed). 


inter 


Coding 
Interpretation 


FILO 
[BP).BETA 
BP contains the address of a structure on 
the CPU stack and BETA is a field in the 
structure (mode is based). 
FBLO 
TBYTE PTR [BX) [01) 
BX contains 
the address 
of a packed 
decimal array and 01contains the offset of 
an array element (mode is based indexed). 


Comparative 
Programming 
Example 


Figures 2-6 and 2-7 show the PL/M-286 
and ASM286 code for a simple 80287 program. called 


ARRSUM. The program references an array (X$ARRA V). which contains 0-100 short real values; 
the integer variable N$OF$X indicates the number of array elements the program is to consider. 
ARRSUM steps through X$ARRA Y accumulating three sums: 


• 
SUM$X. the sum of the array values 
• 
SUM$INDEXES, 
the sum of each array value times its index, where the index of the first element 
is I, the second is 2. etc. 


• 
SUM$SQUARES. 
the sum of each array element squared 


(A true program. of course. would go beyond these steps to store and use the results of these calcula- 
tions.) The control word is set with the recommended values: projective closure. round to nearest, 
64-bit precision. interrupts enabled. and all exceptions masked invalid operation. It is assumed that an 
exception handler has been written to field the invalid operation. if it occurs. and that it is invoked by 
interrupt pointer 16. Either version of the program will run on an actual or an emulated 80287 without 
altering the code shown. 


The PL/M-286 version of ARRSUM (figure 2-6) is very straightforward and illustrates how easily the 
80287 can be used in this language. After declaring variables the program calls built-in procedures to 
initialize the processor (or its emulator) and to load to the control word. The program clears the sum 
variables and then steps through X$ARRA Y with a DO-loop. The loop control takes into account 
PL/M-286's practice of considering the index of the first element of an array to be O. In the compu- 
tation of SUM$INDEXES. 
the built-in procedure FLOAT converts 1+1 from integer to real because 


the language does not support "mixed mode" arithmetic. One of the strengths of the NPX. of course. 
is that it does support arithmetic on mixed data types (because all values are converted internally to 
the 80-bit temporary real format). 


The ASM286 version (figure 2-7) defines the external procedure INIT287. which makes the different 
initialization requirements of the processor and its emulator transparent to the source code. After defining 
the data and setting up the segment registers and stack pointer. the program calls INIT287 and loads 
the control word. The computation begins with the next three instructions, which clear three registers 
by loading (pushing) zeros onto the stack. As shown in figure 2-8, these registers remain at the bottom 
of the stack throughout the computation while temporary values are pushed on and popped off the 
stack above them. 


The program uses the CPU LOOP instruction to control its iteration through X-ARRA Y; register CX, 
which LOOP automatically decrements, is loaded with N_OF _X, the number of array elements to be 
summed. Register SI is used to select (index) the array elements. The program steps through X-ARRA Y 
from back to front, so SI is initialized to point at the element just beyond the first element to be 
processed. The ASM286 TYPE operator is used to determine the number of bytes in each array element. 
This permits changing X-ARRA Y to a long real array by simply changing its definition (DD to DQ) 
and reassembling. 


SERIES-III 
PL/M-286 
VI. 
0 
CDt1PILATIoN 
OF 
MODULE 
ARRAYSUM 
o8JECT 
MODULE 
PLACED 
II< 
: F6: 
D. oBJ 


COMPILER 
INVOKED 
BY: 
PLH286 
86 
: F6: 
D. SRC 
XREF 


1********·*****··*****************·****************- 
* 
* 
A 
R 
RAY 
SUM 
MOD 
* 


* 
* 


************************************** 
•• ***********1 


2 
3 
4 
5 


6 
7 


8 


9 
I 
10 
2 
II 
2 


12 
2 


13 
2 


14 


declare 
(sum.x,sum.inde 
•• s.sum.s~uares) 
real; 


declaT"e 
x$arra\l(100) 
re.l; 


dec lare 
(nSofSx. 
i) 
integer; 
declare 
contT"olS287 
literally 
'033.h'; 


/* 
Prepare 
the 
80287 
of 
its 
emulator 
*1 


call 
initSreal$mathSvnit; 


ca 11 setSrea 
I.mod e (c antro 1$287); 


1* 
Loop 
through 
array. 
accumulating 
*1 


do 
i = 
0 
to 
nSof •• -l; 


sumSx 
- 
sumS. 
+ 
xS.rrayCi); 


sum.indexes 
= 
sum.indexes 
+ 


(xSarrayeD 
* 
floatCi+1»; 


sum.squares 
= 
sumSsquares 
+ 
( •• .array (i )•• $.rr.y 
(i»; 


end. 


0006H 
117 
ARRAYSUt1 
CONTROL287 
FLOAT. 


4 
019EH 
2 
I. 


INITREALMATHUNIT 


4 
019CH 
2 
NoFX 
SETREAU10DE. 


R 
0OO4H 
4 
SUMINDEXES 


2 
OOOBH 
4 
SUMSClUARES 


2 
OOOOH 
4 
SUMX 
3 
OOOCH 
400 
XARRAY 


PROCEDURE 
ST ACK-0002H 
LITERALLY 
'033.h' 
7 
BUILTIN 
II 
INTEGER 
9* 
9 
10 
II 
1:1 
13 


BUlL 
TIN 
6 
INTEGER 
9 
BUlL 
TIN 
7 
REAL 
8* 
II 
11* 
REAL 
8* 
12 
1:1* 


REAL 
8* 
10 
10* 
REAL 
ARRAY( 
100) 
10 
II 
1:1 


CODE 
AREA 
SIZE 


CoNST~NT 
AREA 
SIZE 


VARIABLE 
AREA 
SIZE 


MAXIMUM 
STACK 
SIZE 


33 
LINES 
READ 
o 
PROGRAM 
WARNINGS 
o 
PROGRAM 
ERRORS 


0077H 
0004H 
01AOH 


= 
0002H 


1190 
40 
4160 
20 


96KB 
MEMORY 
AVAILABLE 


3KB 
t1EMoRY 
USED 
(3%) 
OKB 
DISK 
SPACE 
USED 


inter 
PROGRAMMING NUMERIC APPLICATIONS 


SERIES-I 
I I 
iAPX286 
MACRO 
ASSEMBLER 
XIQB 
ASSEMBLY 
OF 
MODULE 
EXAMPLE_ASM.286_PROGRAM 


OBJECT MODULE PLACED IN 
: F6: 287EXP. OBJ 


ASSEMBLER INVOKED BY: 
ASM286.86: 
F6: 287EXP. SRC XREF 


0000 
3E03 


0002 
'71'?? 
0004 
<100 
"???????? 


0194 
'?????7?? 


0196 ???????? 
019C ???????? 


0000 
0000 
88---- 
R 


0003 
8ED8 


0005 
88---- 
R 


0008 
8EDO 


OOOA 8CFEFF 
R 


OOOD9AOOOO---- 
E 


0012 
D92EOOOO 
R 


0016 
D9EE 


0018 
D9EE 


OOIA D9EE 


OOIC 880E0200 
0020 
F7E9 


0022 
88FO 


0024 
0024 
83EE04 


0027 
D9840400 
0028 
DCC3 


002D 
D9CO 


002F 
DCC8 


0031 
DEC2 


0033 
FFOE0200 
0037 
E2EB 


0039 
0039 
D91E9401 


003D 
D91E9801 


0041 
D91E9COI 


0045 
98 


name 
e xamp 
1eo_ASM28o_program 
Define 
initialization 
Toutine 
extT'n 
init287: 
'a1" 


Allocat. 
space 
for 
data 


data 
segment 
rw 
public 
control 
287 
dw 
033eh 
"_of_x 
- 
dw 
? 


x_array 
dd 
100 
dup 
(?) 


sum_squares 
sum_indexes 
sum_x 
data 
ends 


; 
Beg in 
code 
code 
segment 
&1' public 
assume 
ds: 
data. 


ax. data 
me.... 
ds. ax 


mav 
ax, stack 


moy 
5s.ax 


mo.... 
sp. stackstart 
stack 


Prepare 
the 
80287 
or 
its 
emulator. 


call 
init287 


fldcw 
control_287 


j 
Clear 
three 
regilters 
to 
hold 
running 
sums 


'ldz 
lId 
1 
lId I 


Setup 
ex 
as 


51 
as 
index 
mav 
imul 
mav 


loop 
counter 
and 
to 
x_array 
ex, n_of!_x 


ex 
~i. ax 


; 
51 
now 
contains 
index 
of! last 
element 
+ 
1 


; 
Loop 
thru 
x_array 
•• 
ecumulating 
sums 


sum_next: 


sub 
fld 
f!add 
fld 
f!mul 
f!.ddp 


si. 
type 
x_array 
x_.rray[~i] 
st(3).st 
st 
st,st 
st(2), 
st 


backup 
one 
element 
push 
it 
on 
the 
stack 


add 
into 
sum 
of! x 


duplic.te 
x on 
top 
square 
it 
add 
into 
sum 
of! 
(index+x) 
.nd 
discard 
reduce 
index 
for 
next 
iteration 
i continue 


i 
Pop 
running 


pop_results: 


fstp 
f!stp 
flstp 
"wait 


sum_sQ.uartts 
sum_indexes 
sum_I 


inter 
PROGRAMMING NUMERIC APPLICATIONS 


iAPX286 
MACRO ASSEMBLER 
EXAMPLE_ASM286_PROGRAM 


XREF 
SYMBOL 
TABLE 
LI ST ING 


CODE. 
SEGMENT 
SI ZE=0046H 
ER PUBLIC 
19* 
69 


CONTROL_287 
V WORD 
OOOOH 
DATA 
7* 
33 


DATA. 
SEGMENT 
SIZE=OIAOH 
RW PUBLIC 
6* 
13 
20 
22 


IN!T287 
L 
FAR 
OOOOH 
EXTRN 
3* 
32 


N OF 
X. 
V WORD 
0002H 
DATA 
8* 
42 
'6 
POPjlESUL 
TS 
L 
NEAR 
0039H 
CODE 
60* 


STACK 
STACK 
SlZE=0190H 
RW PUBLIC 
16* 
20 
24 
26 


START 
L 
NEAR 
OOOOH 
CODE 
21* 
70 


SUM_INDEXES 
V DWORD 
0198H 
DATA 
Ill. 
62 


SUM_NEXT. 
L 
NEAR 
0024H 
CODE 
48* 
'7 


SUM_SQUARES 
V DWORD 
0194H 
DATA 
10* 
61 


SUM••X 
V DWORD 
019CH 
DATA 
12* 
63 


X_ARRAY 
V DWORD 
0004H 
(100) 
DATA 
9* 
49 
'0 


END OF 
SYMBOL 
TABLE 
LISTING 


ASSEMBLY 
COMPLETE. 
NO ERRORS 


ST(O) 


ST(l) 


ST(2) 


0.0 
SU 


0.0 
SU 


0.0 
SU 


M_SQUARES 


M_INDEXES 


RRAY (19) 


_.SQUARES 


- 
FMUL ST,ST 
- 
--- - 
ST(O) 
6.25 
X_ARRAY(19)2 


ST(1) 
2.5 
X_ARRAY(19) 


ST(2) 
0.0 
SUM_SQUARES 


ST(3) 
0.0 
SUM_INDEXES 


ST(4) 
2.5 
SUM_X 
..... 
..... 


ST(O) 


ST(l) 


ST(2) 


ST(3) 


, 
~ 


2.5 
X_A 


0.0 
SUM 


0.0 
SUM 


2.5 
SUM 


ST(O) 


ST(l) 


ST(2) 


ST(3) 


FIMUL 
N 
OF 
X 


50.0 
X_A 


6.25 
SUM 


0.0 
SUM 


2.5 
SUM 


RRAY(19)·20 


_SQUARES 


_INDEXES 


- 


T(O) 
2.5 


T(l) 


T(2) 
0.0 


T(3) 
0.0 
-- 
ST 


ST 


(0) 
2.5 


(1) 
2.5 


(2) 
0.0 


(3) 
0.0 


(4) 
2.5 


ST(O) 
2.5 


ST(l) 
6.25 


ST(2) 
0.0 


ST(3) 
2.5 
- 


X._ARRAY (19) 


SUM_SQUARES 


SUM_INDEXES 


SUM_X 


X_ARRAY (19) 


X_ARRAY (19) 


SUM_SQUARES 


SUM_INDEXES 


SUM_X 


X_ARRAY(19) 


SUM_SQUARES 


FADDP 
ST(2l,ST 


~§§'25 
SUM_SQUARES 


ST(l) 
50.0 
SUM_INDEXES 


ST(2) 
2.5 
SUM_X 


Figure 2-8 shows the effect of the instructions in the program loop on the NPX register stack. The 
figure assumes that the program is in its first iteration, that N_OF _X is 20, and that )CARRA Y(l9) 
(the 20th element) contains the value 2.5. When the loop terminates, the three sums are left as the top 
stack elements so that the program ends by simply popping them into memory variables. 


The programming of applications to execute on both iAPX 286/10 and iAPX 286/20 systems is made 
much easier by the existence of an 80287 emulator for iAPX 286/10 systems. The Intel E80287 emulator 
offers a complete software counterpart to the 80287 hardware; NPX instructions can be simply emulated 
in software rather than being executed in hardware. With software emulation, the distinction between 
iAPX 286/10 and iAPX 286/20 systems is reduced to a simple performance differential. Identical 
numeric programs will simply execute more slowly on iAPX 286/10 systems (using software emulation 
of NPX instructions) than on iAPX 286/20 systems (executing NPX instructions directly). 


When incorporated into the systems software, the emulation of NPX instructions on iAPX 286/l0 
systems is completely transparent to the programmer. Applications software needs no special libraries, 
linking, or other activity to allow it to run on an iAPX 286/10 with 80287 emulation. 


To the applications programmer, the development of programs for iAPX 286 systems is the same 
whether the 80287 NPX hardware is available or not. The full iAPX 286/20 instruction set is available 
for use, with NPX instructions being either emulated or executed directly. Applications programmers 
need not be concerned with the hardware configuration of the computer systems on which their appli- 
cations will eventually run. 


For systems programmers, details relating to 80287 emulators are described in a later section of this 
supplement. An E80287 software emulator for iAPX 286/10 systems is contained in the iMDX 364 
8086 Software Toolbox, available from Intel and described in the 8086 Software Toolbox Manual. 


Because the 80286 CPU and the 80287 NPX have separate execution units, it is possible for the NPX 
to execute numeric instructions in parallel with instructions executed by the CPU. This simultaneous 
execution of different instructions is called concurrency. 


No special programming techniques are required to gain the advantages of concurrent execution; numeric 
instructions for the NPX are simply placed in line with the instructions for the CPU. CPU and numeric 
instructions are initiated in the same order as they are encountered by the CPU in its instruction 
stream. However, because numeric operations performed by the NPX generally require more time than 
operations performed by the CPU, the CPU can often execute several of its instructions before the 
NPX completes a numeric instruction previously initiated. 


This concurrency offers obvious advantages in terms of execution performance, but concurrency also 
imposes several rules that must be observed in order to assure proper synchronization of the 80286 
CPU and 80287 NPX. 


All Intel high-level languages automatically 
provide for and manage concurrency in the NPX. 
Assembly-language programmers, however, must understand and manage some areas of concurrency 
in exchange for the flexibility and performance of programming in assembly language. This section is 
for the assembly-language programmer or well-informed high-level-language programmer. 


Concurrent 
execution 
of the host and 80287 is easy to establish 
and maintain. 
The activities 
of numeric 


programs 
can be split into two major areas: program 
control and arithmetic. 
The program 
control 
part 


performs 
activities 
such 
as deciding 
what 
functions 
to perform, 
calculating 
addresses 
of numeric 


operands, 
and loop control. 
The arithmetic 
part simply adds, subtracts, 
multiplies, 
and performs 
other 


operations 
on the numeric operands. 
The NPX and host are designed to handle these two parts separately 
and efficiently. 


Managing 
concurrency 
is necessary 
because 
both the arithmetic 
and control areas must converge 
to a 


well-defined 
state 
before 
starting 
another 
numeric 
operation. 
A well-defined 
state 
means 
all previous 


arithmetic 
and control operations 
are complete 
and valid. 


Normally, 
the host waits for the 80287 to finish the current 
numeric 
operation 
before starting 
another. 


This waiting 
is called synchronization. 


I. 
Instruction 
synchronization 


2. 
Data synchronization 


3. 
Error synchronization 


For programmers 
in higher-level 
languages, 
all three types of synchronization 
are automatically 
provided 
by the 
appropriate 
compiler. 
For 
assembly-language 
programmers, 
instruction 
synchronization 
is 


guaranteed 
by the NPX 
interface, 
but data 
and error 
synchronization 
are the responsibility 
of the 


assembly-language 
programmer. 


Instruction 
synchronization 
is required 
because 
the 80287 can perform 
only one numeric 
operation 
at 


a time. Before any numeric 
operation 
is started, 
the 80287 must have completed 
all activity 
from its 


previous 
instruction. 


Instruction 
synchronization 
is guaranteed 
for most ESC instructions 
because 
the 80286 automatically 
checks the BUSY status 
line from the 80287 before commencing 
execution 
of most ESC instructions. 
No explicit 
WAIT instructions 
are necessary 
to ensure proper 
instruction 
synchronization. 


Data synchronization 
addresses 
the issue of both the CPU and the NPX referencing 
the same memory 


values within a given block of code. Synchronization 
ensures that these two processors access the memory 
operands 
in the proper sequence, 
just as they would be accessed 
by a single processor 
with no concur- 


rency. 
Data 
synchronization 
is not a concern 
when the CPU 
and NPX 
are using different 
memory 


operands 
during 
the course of one numeric 
instruction. 


I. 
The 80286 CPU 
reads or alters 
a memory 
operand 
first, then invokes the 80287 to load or alter 


the same operand. 


2. 
The 80287 is invoked 
to load or alter 
a memory 
operand, 
after 
which the 80286 CPU 
reads or 


alters the same location. 


inter 


Due to the instruction synchronization of the NPX interface, data synchronization is automatically 
provided for the first case-the 
80286 will always complete its operation before invoking the 80287. 


For the second case, data synchronization is not always automatic. In general, there is no guarantee 
that the 80287 will have finished its processing and accessed the memory operand before the 80286 
accesses the same location. 


Figure 2-9 shows examples of the two possible cases of the CPU and NPX sharing a memory value. In 
the examples of the first case, the CPU will finish with the operand before the 80287 can reference it. 
The NPX interface guarantees this. In the examples of the second case, the CPU must wait for the 
80287 to finish with the memory operand before proceeding to reuse it. The FWAIT instructions shown 
in these examples are required in order to ensure this data synchronization. 


There are several NPX control instructions where automatic data synchronization is provided; however; 
the FSTSW /FNSTSW, 
FSTCW /FNSTCW, 
FLDCW, FRSTOR, and FLDENV instructions are all 
guaranteed to finish their execution before the CPU can read or alter the referenced memory locations. 


The 80287 provides data synchronization for these instructions by making a request on the Processor 
Extension Data Channel before the CPU executes its next instruction. Since the NPX data transfers 
occur before the CPU regains control of the local bus, the CPU cannot change a memory value before 
the NPX has had a chance to reference it. In the case of the FSTSW AX instruction, the 80286 AX 
register is explicitly updated before the CPU continues execution of the next instruction. 


For the numeric instructions not listed above, the assembly-language programmer must remain aware 
of synchronization and recognize cases requiring explicit data synchronization. Data synchronization 
can be provided either by programming an explicit FWAIT instruction, or by initiating a subsequent 
numeric instruction before accessing the operands or results of a previous instruction. After the subse- 
quent numeric instruction has started execution, all memory references in earlier numeric instructions 
are complete. Reaching the next host instruction after the synchronizing numeric instruction indicates 
that previous numeric operands in memory are available. 


The data-synchronization function of any FWAIT or numeric instruction must be well-documented, as 
shown in figure 2-10. Otherwise, a change to the program at a later time may remove the synchronizing 
numeric instruction and cause program failure. 


Case 1: 
Case 2: 


MOV 
I, 
F I L D 


F I L D 
I 
FWAIT 
MOV 
I , 5 


MOV 
A X , I 
F 1ST 
P 


F I 5 TP 
I 
F W A I T 
MOV 
A X , I 


F·I 5 T P 


FMUL 
MOV 


15 
updllted 
before 
FMUL 
15 
executed 
15 
now 
511fe 
to 
U5e 


High-level languages automatically establish data synchronization and manage it, but there may be 
applications where a high-level language may not be appropriate. 


For assembly-language programmers, automatic data synchronization can be obtained using the assem- 
bler, although concurrency of execution is lost as a result. To perform automatic data synchronization, 
the assembler can be changed to always place aWAIT 
instruction after the ESCAPE instruction. 
Figure 2-11 shows an example of how to change the ASM286 Code Macro for the FIST instruction to 
automatically place aWAIT 
instruction after the ESCAPE instruction. This Code Macro is included 


in the ASM286 source module. The price paid for this automatic data synchronization is the lack of 
any possible concurrency between the CPU and NPX. 


Almost any numeric instruction can, under the wrong circumstances, produce a numeric error. Concur- 
rent execution of the CPU and NPX requires synchronization for these errors just as it does for data 
references and numeric instructions. In fact, the synchronization required for data and instructions 
automatically provides error synchronization. 


However, incorrect data or instruction synchronization may not be discovered until a numeric error 
occurs. A further complication is that a programmer may not expect his numeric program to cause 
numeric errors, but in some systems, they may regularly happen. To better understand these points, 
let's look at what can happen when the NPX detects an error. 


The NPX can provide a default fix-up for selected numeric errors. Programs can mask individual 
error types to indicate that the NPX should generate a safe, reasonable result whenever that error 
occurs. The default error fix-up activity is treated by the NPX as part of the instruction causing 
the error; no external indication of the error is given. When errors are detected, a flag is set in the 
numeric status register, but no information regarding where or when is available. If the NPX performs 
its default action for all errors, then error synchronization is never exercised. This is no reason to 
ignore error synchronization, however. 


• 
As an alternative to the NPX default fix-up of numeric errors, the 80286 CPU can be notified 
whenever an exception occurs. The CPU can then implement any sort of recovery procedures desired, 
for any numeric error detectable by the NPX. When a numeric error is unmasked and the error 


Th15 
15 
an 
ASM286 
code 
macro 
to 
redeflne 
the 
FIST 


ln5tructlon 
to 
prevent 
any 
concurrency 


whlle 
the 
ln5tructlon 
run5. 
A 
walt 


ln5tructlon 
15 
placed 
lmmedlately 
after 
the 


e5cape 
to 
en5ure 
the 
5tore 
15 
done 


before 
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program 
may 
contlnue. 


CodeMacro 
FIST 
memop: 
Mw 


RflxM 
111B, 
memop 


ModRM 
010B, 
memop 


RWflx 
EndM 
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occurs, the NPX stops further execution of the numeric instruction and signals this event to the 
CPU. On the next occurrence of an ESC or WAIT instruction, the CPU traps to a software excep- 
tion handler. Some ESC instructions do not check for errors. These are the nonwaited forms FNINIT, 
FNSTENV, FNSAVE, FNSTSW, FNSTCW, and FNCLEX. 


When the NPX signals an unmasked exception condition, it is requesting help. The fact that the error 
was unmasked indicates that further numeric program execution under the arithmetic and program- 
ming rules of the NPX is unreasonable. 


If concurrent execution is allowed, the state of the CPU when it recognizes the exception is undefined. 
The CPU may have changed many of its internal registers and be executing a totally different program 
by the time the exception occurs. To handle this situation, the NPX has special registers updated at 
the start of each numeric instruction to describe the state of the numeric program when the failed 
instruction was attempted. 


Error synchronization ensures that the NPX is in a well-defined state after an un,masked numeric error 
occurs. Without a well-defined state, it would be impossible for exception recovery routines to figure 
out why the numeric error occurred, or to recover successfully from the error. 


An example of how some instructions written without error synchronization will work initially, but fail 
when moved into a new environment is shown in figure 2-12. 


In figure 2-12, three instructions are shown to load an integer, calculate its square root, then increment 
the integer. The NPX interface and synchronous execution of the NPX emulator will allow this program 
to execute correctly when no errors occur on the FILD instruction. 


This situation changes if the 80287 numeric register stack is extended to memory. To extend the NPX 
stack to memory, the invalid error is unmasked. A push to a full register or pop from an empty register 
will cause an invalid error. The recovery routine for the error must recognize this situation, fix up the 
stack, then perform the original operation. 


The recovery routine will not work correctly in the first example shown in the figure. The problem is 
that the value of COUNT is incremented before the NPX can signal the exception to the CPU. Because 
COUNT is incremented before the exception handler is invoked, the recovery routine will load an 
incorrect value of COUNT, causing the program to fail or behave unreliably. 
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PROPER ERROR SYNCHRONIZATION 
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Error Synchronization relies on the WAIT instructions required by instruction and data synchroniza- 
tion and the BUSY and ERROR signals of the 80287. When an unmasked error occurs in the 80287, 
it asserts the ERROR signal, signalling to the CPU that a numeric error has occurred. The next time 
the CPU encounters an error-checking ESC or WAIT instruction, the CPU acknowledges the ERROR 
signal by trapping automatically to Interrupt #16, the Processor Extension Error vector. If the follow- 
ing ESC or WAIT instruction is properly placed, the CPU will not yet have disturbed any information 
vital to recovery from the error. 


System-Level 
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CHAPTER 
3 
SYSTEM-LEVEL 
NUMERIC PROGRAMMING 


System programming for iAPX 286/20 systems requires a more detailed understanding of the 80287 
NPX than does application programming. Such things as emulation, initialization, exception handling, 
and data and error synchronization are all the responsibility of the systems programmer. These topics 
are covered in detail in the sections that follow. 


On a software level, the 80287 NPX appears as an extension of the 80286 CPU. On the hardware 
level, however, the mechanisms by which the 80286 and 80287 interact are a bit more complex. This 
section describes how the 80287 NPX and 80286 CPU interact and points out features of this inter- 
action that are of interest to systems programmers. 


All transfers of operands between the 80287 and system memory are performed by the 80286's internal 
Processor Extension Data Channel. This independent, DMA-like data channel permits all operand 
transfers of the 80287 to come under the supervision of the 80286 memory-management and protection 
mechanisms. The operation of this data channel is completely transparent to software. 


Because the 80286 actually performs all transfers between the 80287 and memory, no additional bus 
drivers, controllers, or other components are necessary to interface the 80287 NPX to the local bus. 
Any memory accessible to the 80286 CPU is accessible by the 80287. The Processor Extension Data 
Channel is described in more detail in Chapter Six of the iAPX 286 Hardware Reference Manual. 


Like the 80286 CPU, the 80287 NPX can operate in both Real-Address mode and in Protected mode. 
Following a hardware RESET, the 80287 is initially activated in Real-Address mode. A single, privi- 
leged instruction (FSETPM) is necessary to set the 80287 into Protected mode. 


As an extension to the 80286 CPU, the 80287 can access any memory location accessible by the task 
currently executing on the 80286. When operating in Protected mode, all memory references by the 
80287 are automatically verified by the 80286's memory management and protection mechanisms as 
for any other memory references by the currently-executing task. Protection violations associated with 
NPX instructions automatically cause the 80286 to trap to an appropriate exception handler. 


To the programmer, these two 80287 operating modes differ only in the manner in which the NPX 
instruction and data pointers are represented in memory following an FSAVE or FSTENV instruction. 
When the 80287 operates in Protected mode, its NPX instruction and data pointers are each repre- 
sented in memory as a 16-bit segment selector and a 16-bit offset. When the 80287 operates in Real- 
Address mode, these same instruction and data pointers are represented simply as the 20-bit physical 
addresses of the operands in question (see figure 1-7 ionChapter One). 


The 80287 NPX 
does not require 
that 
any memory 
addresses 
be set aside for special 
purposes. 
The 


80287 does make use of I/0 
port addresses 
in the range 00F8H 
through 
OOFFH, although 
these I/O 


operations 
are completely 
transparent 
to the iAPX 
286 software. 
iAPX 
286 programs 
must not refer- 


ence these reserved 
I/0 
addresses 
directly. 


To prevent any accidental 
misuse or other tampering 
with numeric 
instructions 
in the 80287, the 80286's 


I/O 
Privilege 
Le\"el (IOPL) 
should 
be used 
in multiuser 
reprogrammable 
environments 
to restrict 


application 
program 
access to the I/0 
address 
space and So guarantee 
the integrity 
of 80287 compu- 


tations. 
Chapter 
Eight of the iAPX 286 Operating System Writer's Guide contains 
more details regard- 


ing the use of the I/0 
Privilege 
Level. 


One of the principal 
responsibilities 
of systems software 
is the initialization, 
monitoring, 
and control of 


the hardware 
and software 
resources 
of the system, 
including 
the 80287 NPX. 
In this section, 
issues 


related 
to system initialization 
and control are described, 
including 
recognition 
of the NPX, 
emulation 


of the 80287 NPX 
in software 
if the hardware 
is not available, 
and the handling 
of exceptions 
that 


may occur during 
the execution 
of the 80287. 


Recognize 
the presence 
or absence 
of the NPX 


• 
Set flags in the 80286 MSW to reflect 
the state of the numeric 
environment 


• 
Initialized 


• 
Switched 
into Protected 
mode (if desired) 


During 
initialization, 
the 80286 is easily programmed 
to recognize 
the presence 
of the 80287 
NPX. 
Figure 
3-1 shows an example 
of such a recognition 
routine. 


In the example, 
the 80286 assumes 
that 
the 80287 is present 
and executes 
an FNINIT 
instruction. 
Following 
the FNINIT 
instruction, 
the 80286 attempts 
to read the NPX 
status 
word. If the 80287 


NPX 
is present, 
the lower eight bits of this word (the exception 
flags) will be all zeros. If an 80287 is 


not present, 
these 
data 
lines will have 
been 
floating. 
The iAPX 286 Hardware Reference Manual 
describes 
how to design 
the 80287 
socket 
to ensure 
that 
at least one of these 
lower eight 
data 
lines 
floats high in the absence 
of the 80287. 


inter 
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Once the 80286 CPU has determined 
the presence 
or absence 
of the 80287 NPX, 
the 80286 must set 
either the MP or the EM bit in its own machine 
status word accordingly. 
The initialization 
routine 
can 
either 


Set the MP bit in the 80286 
MSW 
to allow numeric 
instructions 
to be executed 
directly 
by the 
80287 NPX 
component 


Set the EM bit in the 80286 MSW to permit 
software 
emulation 
of the 80287 numeric 
instructions 


The Math Present 
(MP) flag of the 80286 machine 
status word indicates 
to the CPU whether 
an 80287 
NPX is physically 
available 
in the system. The MP flag controls the function 
of the WAIT 
instruction. 


When executing 
aWAIT 
instruction, 
the 80286 tests only the Task Switched 
(TS) bit if MP is set; if 
it finds TS set under these conditions, 
the CPU traps to exception 
#7. 


The Emulation 
Mode (EM) 
bit of the 80286 machine 
status 
word indicates 
to the CPU whether 
NPX 
functions 
are to be emulated. 
If the CPU finds EM set when it executes 
an ESC instruction, 
program 
control is automatically 
trapped 
to exception 
#7, giving the exception 
handler 
the opportunity 
to emulate 
the functions 
of an 80287. The 80286 EM flag can be changed 
only by using the LMSW 
(load machine 
status word) instruction 
(legal only at privilege level 0) and examined 
with the aid of the SMSW 
(store 
machine 
status 
word) instruction 
(legal at any privilege 
level). 


The EM bit also controls the function 
of the WAIT 
instruction. 
If the CPU finds EM set while execut- 
ing aWAIT, 
the CPU does not check the ERROR 
pin for an error indication. 


For correct 
80286 operation, 
the EM bit must never be set concurrently 
with MP. The EM and MP 
bits of the 80286 are described 
in more detail 
in the iAPX 286 Operating System 
Writer's Guide. 


More information 
on software 
emulation 
for the 80287 NPX 
is described 
in the "80287 
Emulation" 


section later in this chapter. 


inter 


Initializing the 80287 NPX simply means placing the NPX in a known state unaffected by any activity 
performed earlier. The example software routine to recognize the 80287 (table 3-1) performed this 
initialization using a single FNINIT 
instruction. This instruction causes the NPX to be initialized in 


the same way as that caused by the hardware RESET signal to the 80287. All the error masks are set, 
all registers are tagged empty, the ST is set to zero, and default rounding, precision, and infinity 
controls are set. Table 3-1 shows the state of the 80287 NPX following initialization. 


Following a hardware RESET signal, such as after initial power-up, the 80287 is initialized in Real- 
Address mode. Once the 80287 has been switched to Protected mode (using the FSETPM instruction), 
only another hardware RESET can switch the 80287 back to Real-Address mode. The FNINIT 
instruction does not switch the operating state of the 80287. 


If it is determined that no 80287 NPX is available in the system, systems software may decide to 
emulate ESe instructions in software. This emulation is easily supported by the 80286 hardware, because 
the 80286 can be configured to trap to a software emulation routine whenever it encounters an ESe 
instruction in its instruction stream. 


As described previously, whenever the 80286 epu 
encounters an ESe instruction, and its MP and 


EM status bits are set appropriately (MP=O, EM = 1), the 80286 will automatically trap to interrupt 
#7, the Processor Extension Not Available exception. The return link stored on the stack points to the 
first byte of the ESe instruction, including the prefix byte(s), if any. The exception handler can use 
this return link to examine the ESe instruction and proceed to emulate the numeric instruction in 
software. 


The emulator must step the return pointer so that, upon return from the exception handler, execution 
can resume at the first instruction following the ESe instruction. 


Field 
Value 
Interpretation 


Control 
Word 


Infinity 
Control 
0 
Projective 
Rounding 
Control 
00 
Round to nearest 
Precision 
Control 
11 
64 bits 
Interrupt-Enable 
Mask 
1 
Interrupts 
disabled 
Exception 
Masks 
111111 
All exceptions 
masked 


Status Word 
Busy 
0 


{ 
Not busy 
Condition 
Code 
???? 
- 
(Indeterminate) 
Stack Top 
000 
Empty stack 
Interrupt 
Request 
0 
No interrupt 
Exception 
Flags 
000000 
No exceptions 


Tag Word 
Tags 
11 
Empty 


Registers 
N.C. 
Not changed 


Exception 
Pointers 
Instruction 
Code 
N.C. 
Not changed 
Instruction 
Address 
N.C. 
Not changed 
Operand 
Address 
N.C. 
Not changed 


inter 


To an application program, execution on an iAPX 286/10 system with 80287 emulation is almost 
indistinguishable from execution on an iAPX 286/20 system, except for the difference in execution 
speeds. 


• 
When operating in Protected-Address mode, numeric applications using the emulator must be 
executed in execute-readable code segments. Numeric software cannot be emulated if it is executed 
in execute-only code segments. This is because the emulator must be able to examine the particular 
numeric instruction that caused the Emulation trap. 


• 
Only privileged tasks can place the 80286 in emulation mode. The instructions necessary to place 
the 80286 in Emulation mode are privileged instructions, and are not typically accessible to an 
application. 


An emulator package (E80287) that runs on iAPX 286/10 systems is available from Intel in the 8086 
Software Toolbox, Order Number 122203. This emulation package operates in both Real and Protected 
mode, providing a complete functional equivalent for the 80287 emulated in software. 


When using the E80287 emulator, writers of numeric exception handlers should be aware of one slight 
difference between the emulated 80287 and the 80287 hardware: 


• 
On the 80287 hardware, exception handlers are invoked by the 80286 at the first WAIT or ESC 
instruction following the instruction causing the exception. The return link, stored on the 80286 
stack, points to this second WAIT or ESC instruction where execution will resume following a 
return from the exception handler. 


• 
Using the E80287 emulator, numeric exception handlers are invoked from within the emulator itself. 
The return link stored on the stack when the exception handler is invoked will therefore point back 
to the E80287 emulator, rather than to the program code actually being executed (emulated). An 
IRET return from the exception handler returns to the emulator, which then returns immediately 
to the emulated program. This added layer of indirection should not cause confusion, however, 
because the instruction causing the exception can always be identified from the 80287's instruction 
and data pointers. 


Once the iAPX 286/20 system has been initialized and normal execution of applications has been 
commenced, the 80287 NPX may occasionally require attention in order to recover from numeric 
processing errors. This section provides details for writing software exception handlers for numeric 
exceptions. Numeric processing exceptions have already been introduced in previous sections of this 
manual. 


As discussed previously, the 80287 NPX can take one of two actions when it recognizes a numeric 
exception: 


• 
If the exception is masked, the NPX will automatically perform its own masked exception response, 
correcting the exception condition according to fixed rules, and then continuing with its instruction 
execution. 


• 
If the exception is unmasked, the NPX signals the exception to the 80286 CPU using the ERROR 
status line between the two processors. Each time the 80286 encounters an ESC or WAIT instruc- 
tion in its instruction stream, the CPU checks the condition of this ERROR status line. If ERROR 
is active, the CPU automatically traps to Interrupt vector #16, the Processor Extension Error trap. 


Interrupt vector #16 typically points to a software exception handler, which mayor may not be a part 
of systems software. This exception handler takes the form of an iAPX 286 interrupt procedure. 


• 
The CPU must not disturb the numeric context when an error is detected. 


• 
The CPU must clear the error and attempt recovery from the error. 


Although the manner in which programmers may treat these responsibilities varies from one imple- 
mentation to the next, most exception handlers will include these basic steps: 


• 
Store the NPX environment (control, status, and tag words, operand and instruction pointers) as it 
existed at the time of the exception. 


• 
Clear the exception bits in the status word. 


• 
Enable interrupts on the CPU. 


• 
Identify the exception by examining the status and control words in the save environment. 


• 
Take some system-dependent action to rectify the exception. 


• 
Return to the interrupted program and resume normal execution. 


It should be noted that the NPX exception pointers contained in the stored NPX environment will take 
different forms, depending on whether the NPX is operating in Real-Address mode or in Protected 
mode. The earlier discussion of Real versus Protected mode details how this information is presented 
in each of the two operating modes. 


In cases where multiple exceptions arise simultaneously, the 80287 signals one exception according to 
the precedence sequence shown in table 3-2. This means, for example, that zero divided by zero will 
result in an invalid operation, and not a zero divide exception. 


Recovery routines for NPX exceptions can take a variety of forms. They can change the arithmetic 
and programming rules of the NPX. These changes may redefine the default fix-up for an error, change 
the appearance of the NPX to the programmer, or change how arithmetic is defined on the NPX. 


A change to an error response might be to automatically normalize all denormals loaded from memory. 
A change in appearance might be extending the register stack into memory to provide an "infinite" 
number of numeric registers. The arithmetic of the NPX can be changed to automatically extend the 


Denormalized 
operand 
(if unmasked) 


Invalid operation 
Zero divide 
Denormalized 
(if masked) 


Over jUnderflow 
Precision 


precision and range of variables when exceeded. All these functions can be implemented on the NPX 
via numeric errors and associated recovery routines in a manner transparent 
to the application 
programmer. 


Incrementing an exception counter for later display or printing 


Printing or displaying diagnostic information (e.g., the 80287 environment and registers) 


Aborting further execution 


Storing a diagnostic value (a NaN) in the result and continuing with the computation 


Notice that an exception mayor may not constitute an error, depending on the implementation. Once 
the exception handler corrects the error condition causing the exception, the floating-point instruction 
that caused the exception can be restarted, if appropriate. This cannot be accomplished using the 
IRET instruction, however, because the trap occurs at the ESC or WAIT instruction following the 
offending ESC instruction. The exception handler must obtain from the NPX the address of the 
offending instruction in the task that initiated it, make a copy of it, execute the copy in the context of 
the offending task, and then return via IRET to the current CPU instruction stream. 


In order to correct the condition causing the numeric exception, exception handlers must recognize the 
precise state of the NPX at the time the exception handler was invoked, and be able to reconstruct the 
state of the NPX when the exception initially occurred. To reconstruct the state of the NPX, program- 
mers must understand when, during the execution of an NPX instruction, exceptions are actually 
recognized. 


Invalid operation, zero divide, and denormalized exceptions are detected before an operation begins, 
whereas overflow, underflow, and precision exceptions are not raised until a true result has been 
computed. When a before exception is detected, the NPX register stack and memory have not yet been 
updated, and appear as if the offending instructions has not been executed. 


When an after exception is detected, the register stack and memory appear as if the instruction has 
run to completion; i.e., they may be updated. (However, in a store or store-and-pop operation, unmasked 
over/underflow is handled like a before exception; memory is not updated and the stack is not popped.) 
The programming examples contained in Chapter Four include an outline of several exception handlers 
to process numeric exceptions for the 80287. 


Numeric 
4 
programming 
Examples 


CHAPTER 
4 
NUMERIC PROGRAMMING 
EXAMPLES 


The following sections contain 
examples 
of numeric 
programs 
for the 80287 NPX written 
in ASM286. 
These examples 
are intended 
to illustrate 
some of the techniques 
for programming 
the iAPX 
286/20 
computing 
system for numeric 
applications. 


As discussed 
in Chapter 
Two, several numeric 
instructions 
post their results 
to the condition 
code bits 
of the 80287 status word. Although 
there are many ways to implement 
conditional 
branching 
following 


a comparison, 
the basic approach 
is as follows: 


• 
Execute 
the comparison. 


• 
Store the status 
word. (80287 allows storing status directly 
into AX register.) 


• 
Inspect 
the condition 
code bits. 


• 
Jump 
on the result. 


Figure 
4-1 is a code fragment 
that 
illustrates 
how two memory-resident 
long real numbers 
might 
be 


compared 
(similar 
code could be used with the FTST 
instruction). 
The numbers 
are called 
A and B, 
and the comparison 
is A to B. 


The comparison 
itself requires 
loading A onto the top of the 80287 register 
stack and then comparing 


it to B, while popping 
the stack 
with the same instruction. 
The status 
word is then written 
into the 


80286 AX register. 


A and B have four possible orderings, 
and bits C3, C2, and CO of the condition 
code indicate 
which 


ordering 
holds. These bits are positioned 
in the upper byte of the NPX status word so as to correspond 
to the CPU's 
zero, parity, 
and carry 
flags (ZF, PF, and CF), when the byte is written 
into the flags. 
The code fragment 
sets ZF, PF, and CF of the CPU 
status 
word to the values of C3, C2, and CO of 


the NPX 
status 
word, 
and then 
uses the CPU 
conditional 
jump 
instructions 
to test 
the flags. The 
resulting 
code is extremely 
compact, 
requiring 
only seven instructions. 


The FXAM 
instruction 
updates 
all four condition 
code bits. Figure 4-2 shows how a jump 
table can be 
used to determine 
the characteristics 
of the value examined. 
The jump 
table (FXAM_ TBL) is initial- 
ized to contain 
the 16-bit displacement 
of 16 labels, one for each possible condition 
code setting. 
Note 


that four of the table entries 
contain 
the same value, because 
four condition 
code settings 
correspond 
to "empty." 


The program 
fragment 
performs 
the FXAM 
and stores the status word. It then manipulates 
the condi- 
tion code bits to finally produce 
a number 
in register 
BX that equals the condition 
code times 2. This 


involves zeroing the unused 
bits in the byte that contains 
the code, shifting 
C3 to the right so that it is 
adjacent 
to C2, and then shifting 
the code to multiply 
it by 2. The resulting 
value is used as an index 


that 
selects 
one of the displacements 
from FXAM_ TBL (the multiplication 
of the condition 
code is 


required 
because 
of the 2-byte length of each value in FXAM_ TBL). The unconditional 
JMP 
instruc- 
tion effectively 
vectors through 
the jump 
table to the labelled 
routine that contains 
code (not shown in 
the example) 
to process each possible result of the FXAM 
instruction. 


inter 


FLD 
FCOMP 
FSTSW 


LOAD 
A 
ONTO 
TOP 
OF 
287 
STACK 
COMPARE 
A:B, 
POP 
A 
STORE 
RESULT 
TO 
CPU 
AX 
REGISTER 


CPU 
AX 
REGISTER 
CONTAINS 
CONDITION 
CODES 
(RESULTS 
OF 
COMPARE> 
LOAD 
CONDITION 
CODES 
INTO 
CPU 
FLAGS 
SAHF 


USE 
CONDITIONAL 
JUMPS 
TO 
DETERMINE 
ORDERING 
OF 
A 
TO 


B 


JP 
JB 
JE 


A_GREATER: 


A 
B 
UNORDERED 
A 
LESS 
A_EQUAL 


TEST 
C2 
TEST 
CO 
TEST 
C3 
• 
0, 
C 3 


( P F ) 
( C F ) 


( Z F ) 


( Z F ) 


FXAM 
TBL 
,,, 


DW 
POS_UNNORM, 
POS_NAN, 
NEG_UNNORM, 
NEG_NAN, 


POS_NORM, 
POS_INFINITY, 
NEG_NORM, 


NEG_INFINITY, 
POS_ZERO, 
EMPTY, 
NEG_ZERO, 


EMPTY, 
POS_DENORM, 
EMPTY, 
NEG_DENORM, 
EMPTY 


EXAMINE 
ST 
AND 
STORE 
RESULT 
(CONDITION 
CODES) 


FXAM 
FSTSW 
AX 


CALCULATE 
OFFSET 
INTO 
JUMP 
TABLE 
MOV 
BH,O 
; 
CLEAR 
UPPER 
HALF 
OF 
BX, 


MOV 
BL,AH 
; 
LOAD 
CONDITION 
CODE 
INTO 
BL 
AND 
BL,00000111B 
; 
CLEAR 
ALL 
BITS 
EXCEPT 
C2-CO 
AND 
AH,01000000B 
; 
CLEAR 
ALL 
BITS 
EXCEPT 
C3 
SHR 
AH,2 
SHIFT 
C3 
TWO 
PLACES 
RIGHT 
SAL 
BX,1 
SHIFT 
C2-CO 
1 
PLACE 
LEFT 
(MULTIPLY 
BY 
2) 
OR 
BL,AH 
DROP 
C3 
BACK 
IN 
ADJACENT 
TO 
C2 
(OOOXXXXO) 


JUMP 
TO 
THE 
ROUTINE 
'ADDRESSED' 
BY 
CONDITION 
CODE 


JMP 
FXAM 
TBL[BXl 


HERE 
ARE 
THE 
JUMP 
TARGETS, 
ONE 
TO 
HANDLE 
EACH 
POSSIBLE 
~ESULT 
OF 
FXAM 


There 
are many 
approaches 
to writing 
exception 
handlers. 
One useful 
technique 
is to consider 
the 
exception 
handler 
procedure 
as consisting 
of "prologue," 
"body," 
and "epilogue" 
sections of code. (For 
compatibility 
with the 80287 emulators, 
this procedure 
should be invoked by interrupt 
pointer (vector) 
number 
16.) 


•••• 
u~ 
uV511111111~ 
VI 
lilt: 
prologue, Lt'U Interrupts have been disabled. The prologue performs all 


functions that must be protected from possible interruption by higher-priority sources. Typically, this 
will involve saving CPU registers and transferring diagnostic information from the 80287 to memory. 
When the critical processing has been completed, the prologue may enable CPU interrupts to allow 
higher-priority interrupt handlers to preempt the exception handler. 


The exception handler body examines the diagnostic information and makes a response that is neces- 
sarily application-dependent. This response may range from halting execution, to displaying a message, 
to attempting to repair the problem and proceed with normal execution. 


The epilogue essentially reverses the actions of the prologue, restoring the CPU and the NPX so that 
normal execution can be resumed. The epilogue must not load an unmasked exception flag into the 
80287 or another exception will be requested immediately. 


Figure 4-3 through 4-5 show the ASM286 coding of three skeleton exception handlers. They show how 
prologues and epilogues can be written for various situations, but provide comments indicating only 
where the application-dependent exception handling body should be placed. 


Figure 4-3 and 4-4 are very similar; their only substantial difference is their choice of instructions to 
save and restore the 80287. The tradeoff here is between the increased diagnostic information provided 
by FNSA VE and the faster execution of FNSTENV. For applications that are sensitive to interrupt 
latency or that do not need to examine register contents, FNSTENV reduces the duration of the "criti- 
cal region," during which the CPU will not recognize another interrupt request (unless it is a nonmask- 
able interrupt). 


After the exception handler body, the epilogues prepare the CPU and the NPX to resume execution 
from the point of interruption (Le., the instruction following the one that generated the unmasked 
exception). Notice that the exception flags in the memory image that is loaded into the 80287 are 
cleared to zero prior to reloading (in fact, in these examples, the entire status word image is cleared). 


The examples in figures 4-3 and 4-4 assume that the exception handler itself will not cause an unmasked 
exception. Where this is a possibility, the general approach shown in figure 4-5 can be employed. The 
basic technique is to save the full 80287 state and then to load a new control word in the prologue. 
Note that considerable care should be taken when designing an exception handler of this type to prevent 
the handler from being reentered endlessly. 


SAVE 
CPU 
REGISTERS, 
ALLOCATE 
STACK 
SPACE 


FOR 
80287 
STATE 
IMAGE 
PUSH 
BP 
MOV 
BP,SP 
SUB 
SP,94 


SAVE 
FULL 
80287 
STATE, 
WAIT 
FOR 
COMPLETION, 


ENABLE 
CPU 
INTERRUPTS 


FNSAVE 
£BP-941 


F W A I T 
S T I 


APPLICATION-DEPENDENT 
EXCEPTION 
HANDLING 


CODE 
GOES 
HERE 


inter 


CLEAR 
EXCEPTIOH 
FLAGS 
IH 


RESTORE 
MODIFIED 
STATE 


IMAGE 
MOV 
FRSTOR 


DE-ALLOCATE 


MOV 


BYTE 
PTR 
[BP-92I, 
OH 
[BP-941 
STACK 
SPACE, 
RESTORE 
S P , B P 


RETURH 
TO 
IHTERRUPTED 
CALCULATIOH 


IRE 
T 
SAVE_ALL 
EHDP 


SAVE 
CPU 
REGISTERS, 
ALLOCATE 
STACK 
SPACE 


FOR 
80287 
EHVIROHMEHT 


PUSH 
BP 


MOV 
BP,SP 


SUB 
SP,14 


SAVE 
EHVIROHMEHT, 
WAIT 
FOR 
COMPLETIOH, 
EHABLE 
CPU 
IHTERRUPTS 


FHSTEHV 
[BP-141 


F W A I T 
S T I 


CLEAR 
EXCEPTIOH 
FLAGS 
IH 
STATUS 
WORD 


RESTORE 
MODIFIED 


EHVIROHMEHT 
IMAGE 


MOV 
BYTE 
PTR 
[BP-12I, 
OH 


FLDEHV 
[BP-141 


DE-ALLOCATE 
STACK 
SPACE, 
RESTORE 
CPU 
REGISTERS 


MOV 
SP,BP 


POP 
BP 


RETURH 
TO 
IHTERRUPTED 
CALCULATIOH 


IRE 
T 
SAVE_EHVIROHMEHT 
EHDP 


SAVE 
CPU 
REGISTERS, 
ALLOCATE 
STACK 
SPACE 
FOR 
80287 
STATE 
IMAGE 
PUSH 
BP 


MOV 
BP,SP 
SUB 
SP,94 
SAVE 
STATE, 
LOAD 
NEW 
CONTROL 
WORD, 
FOR 
COMPLETION, 
ENABLE 
CPU 
INTERRUPTS 
FNSAVE 
IBP-94l 
FLDCW 
LOCAL_CONTROL 
S T I 


APPLICATION 
EXCEPTION 
HANDLING 
CODE 
GOES 
HERE. 
AN 
UNMASKED 
EXCEPTION 
GENERATED 
HERE 
WILL 
CAUSE 
THE 
EXCEPTION 
HANDLER 
TO 
BE 
REENTERED. 
IF 
LOCAL 
STORAGE 
IS 
NEEDED, 
IT 
MUST 
BE 
ALLOCATED 
ON 
THE 
CPU 
STACK. 


CLEAR 
EXCEPTION 
FLAGS 
IN 
STATUS 
WORD 
RESTORE 
MODIFIED 
STATE 
IMAGE 
MOV 
BYTE 
PTR 
IBP-92l, 
OH 
FRSTOR 
IBP-94l 
DE-ALLOCATE 
STACK 
SPACE, 
RESTORE 
CPU 
REGISTERS 
MOV 
SP,BP 


POP 
BP 
RETURN 
TO 
POINT 
OF 
INTERRUPTION 
IRET 
REENTRANT 
ENDP 


inter 


Numeric programs must typicaIly format their results at some point for presentation and inspection by 
the program user. In many cases, numeric results are formatted as ASCII strings for printing or display. 
This example shows how floating-point values can be converted to decimal ASCII character strings. 
The function shown in figure 4-6 can be invoked from PL/M-286, 
Pascal-286, FORTRAN-286, 
or 
ASM286 routines. 


Shortness, speed, and accuracy were chosen rather than providing the maximum number of significant 
digits possible. An attempt is made to keep integers in their own domain to avoid unnecessary conver- 
sion errors. 


Using the extended precision real number format, this routine achieves a worst case accuracy of three 
units in the 16th decimal position for a noninteger value or integers greater than 1018• This is double 
precision accuracy. With values having decimal exponents less than 100 in magnitude, the accuracy is 
one unit in the 17th decimal position. 


Higher precision can be achieved with greater care in programming, larger program size, and lower 
performance. 


SERIES-Ill 
iAPX2BO 
MACRO 
ASSEMBLER 
Xl08 
ASSEt1BLV 
OF 
f'IODULE FLDATINO_TDjIBCII 


OB.JECT MODULE PLACED 
IN 
: F3: FPASC. 08,) 


ASSEt1BLERINVOKED BY: 
"811296.86: 
F3: FPASC.N'2 


I 
+1 
•3•••7 
8• 
10 
III. 
13I'••I. 
17 
18I' 
.0., 


22.3•••••• 
• 7.8•• 
30 
313. 
333.,. 
3. 
37 
38 
3'.0'1••.3••••••.7 
'8•• 
'0 


This 
SUDT'ouU.n. 
will 
conveT't 
the 
float1n, 
polnt 
nu_be" 
1n 
~". 
top 
of 
the 
80287 
atee 
Ie to 
an 
ASCII 
a'rin, 
.nlf 
•• pa"'at. 
powe,. 
of 
10 
scaUn. 
value 
(in 
lII!n."v). 
The •• ai.UM width 
of 
i::he ASCII 
strin, 


f01' •• d 1. 
controlled 
'" 
• 
par ••• 
te" 
which 
Must 
tie > 1. 
Unno,. •• l 
••.alu 
••• 


d.nor 
•• l 
••.alu ••• 
and 
pauello 
zltro •• 
tllil! 
be 
cOf'"ect}v 
converted. 


A ",sturned 
value 
will 
indicate 
ho ••• 
n" 
bine"" 
bits 
of 
p"ecision 
we,.e 
lost 
in 
an 
unno" •• l 
0T' 4.no"•• 1 value. 
The 
•• ,"1tu4.' 


(in 
ts" •• 
0' 
1II1ne"\I po•• ,,) 
of 
• 
,aue4o 
•• "0 
will 
al.o 
be 
inllicated. 


Inte,e". 
1." 
than 
1~.18 
in 
.alnitude 
a"e 
accu"at.l\l 
conv.,..t 
••• 
if 
the 
d•• UnaUon 
ASCII 
,t"inl 
fi.)d 
i, 
.id. 
enoulh 
to 
hold 
all 
the 
dl,it,. 
Ot,..".l 
•• 
th. 
value 
1, 
conve"t.d 
to 
.cientific 
not.tion. 


o 
conv.".1on 
co.plet 
•• 
't"1nll_'ize 
i'. 
1I.'1nect 
1 
invalid 
a"lulIIe,:!t, 
2 
elact 
integer 
conver,ion 
•• 
tT'inl_'ire 
i. 
defined 
3 
ind.finit 
• 
4 
+ NAN (Not 
A Nu.b.r) 


:5 
- 
NAN 
6 
+ Infinitv 
7 
- 
Infinitv 
8 
,.uedo 
'.1'0 
found •• 
tring_'ize 
i, 
d.fined 


The 
PLP1/286 calling 
convention 
i.: 


floaUn,_to_a.c 
i 1: 


procedure 
(nUMb• .,.. denor.aIJt". 
,trlnlJtr. 
,izeJtr. 
'ield_,il:e. 


pOllle"Jt"l 
word 
•• t."nal1 


d.cla". 
(deno"lIlalJtr. 
,trlnIJt". 
po"er-,tr 
•• he.JIt,,) 
,olnte"l 


decla.,.e 
fi.ld_,ize 
word. 
,tring_'h. 
b••• d .11e-,t1' 
1IIordi 


declare 
numb.r 
,..al1 


d.c 1.". 
d.no" •• l 
1nteler 
ba.ed 
deno1'lIlaIJt"l 


d.c lar. 
pOllle" lnt.ge" 
ba.ed 
power ..,.,t"l 
end 
floating_to 
__ .ciil 


The 
floating 
,oint 
value 
i •• 
zpected 
to 
De on 
the 
to, 
of 
'the 
NftX 


,tacll:. 
Thi •• 
ubroutin. 
ezp.ct. 
3 
fT-.e 
ent"ie. 
on the 
NPX .tac' 
and 
will 
pop 
the 
p•••• 
d value 
off 
when don.. 
The 
,.n.rated 
ASCII 
.t,,1ng 


lIIIIill have 
a 
leadinl 
cha"act 
• .,. .ithe" 
'-'. 
or 
•.•.• indicatinl 
the 
.iln 
of 
the 
value. 
The 
ASCII 
d.ct 
•• l 
digih 
will 
i •• elliatelv 
follow. 


Th. 
nUlu"1c 
value 
of 
the 
AacII 
.t"ing 
i. 
(ASCII 
8TRINQ. ).l~OWER: 


OOOO[] 
0002[] 
0004[] 
00Q6[] 
OOOS[] 
OOOAC] 
OOOCCl 
OOOECl 


0012 
0002 


OOOA 
0001 
0004 
0000 
0003 
0008 


-0002 
-0004 
-0000 
-0008 


סס oo 
0002 


-0002[) 
, 


-0004[] 
-0006[] 
-0010[] 
-0010[] 
-0010[] 


0002 
F8 


0003 
04 
0004 
F9 
0005 05 
0006 00 
0007 06 
0008 01 
OOOt;l 07 
OOOA 
FC 


0008 
FE 


OOOC 
FD 


0000 
FE 


OOOE 
FA 


OOOF 
FE 


0010 
F8 


0011 
FE 


If 
the 
given 
number 
",as 
Illro. 
the 
ASCII 
string 
",ill 
cont.in 
• 
sign 
and 
a 
single 
lero 
ch.cter. 
The 
value 
string_sile 
indic.tes 
the 
tot. 
1 


length 
of 
the 
ASCII 
string 
including 
the 
.illn 
cha,.uter. 
5tring(0) 
will 


a 1111111\15 
hold 
the 
sign. 
It 
i. 
possible 
for 
string_.ile 
to 
be 
l.s. 
th.n 


field_sile. 
This 
occurs 
for 
lerOIlS 
or 
integer 
value.. 
A psuedo 
lero 


will 
return. 
spllcial 
return 
code. 
The 
dllnormal 
count 
will 
indic.te 


the 
power 
of 
two 
originall\l 
as.Qci.ted 
with 
the 
v.lue. 
The 
power 
of 


ten 
and 
ASCII 
.tring 
will 
b. 
as 
if 
the 
value 
wa•• 
n ordinar\l 
lero 
. 


Tl)i. 
subroutine 
is 
~ccurate 
up 
to 
a maximulll 
of 
18 
d.ci 
•.••l 
digit. 
for 
integer.. 
Integer 
value. 
will 
have 
•• decimal 
power 
of 
lero 
••• 
oci.t.d 
",ith 
them. 
For 
non 
int.gllrs. 
the 
result 
lIIill 
be 
.ccur.te 
to 
.ithin 
2 


decimal 
digits 
of 
the 
16th 
decimal 
plac. 
(double 
precision), 
The 


IIl1'onenti.te 
instruction 
i •• 1.0 
u.lld 
for 
.caling 
the 
v.lue 
into 
thll 


r.nge 
accll1'table 
for 
the 
BCD d.t. 
t\l1'.. 
The 
rounding 
lIIade 
in 
effect 


on 
entr 
•• to 
thll 
subroutine 
i. 
u'ed 
for 
the 
conve",ion. 


word 
1'tr 
Cbp] 
b1'_,.vII 
+ 'ile 
bp_, ••ve 


•• _.a". 
+ .i le 
e._ •• ve 


returnJtr 
+ 
.i le 
return.Jltr 


po",er.Jl1:r 
+ sile 
1'Ollle"Jtr 
field_sile 
+ 
'he 
field_sile 


sileJtr 
+ 
.ile 
.ile.Jltr 
.tring.Jltr 
+ 
.he 
.tringJtr 


Defin. 
return 
value. 


Th. 
III.Ct 
value. 
cho.en 
hllrll 
.re 
i.1'ort.nt. 
Thll\l 
fIlUSt correspond 
to 
the 
1'os.ible 
return 
value. 
and 
be 
in 
the 
•••Ille nu.eric 
order 
.5 
tested 
b\l 
the 
1'rogr ••. 


01'2 
03'4•• 
.0 
07 
•8•• 
00 
01 
02 
03 
04O. 
00 
07 
08 
O. 
70 
71 
72 +1 
73 
74 
70 
70 
77 
78,. 
80 
81 
82 
83 
848. 
80 
87 
888..0••.2., 
.4••.0 
OJ.8•• 
100 
101 
102 
103 
104 
10. 
100 
107 
108 
10. 
110 
111 
112 
113 
114 
11. 
110 
117 
118 +1 
11. 
120,., 
,.2 
103 
'.4,., 
120 
107 
128,.. 
130 


bp_ •• ve 
eq,u 
e._.ave 
eq,u 


returnJt1" 
eq,u 
po",e"Jltr 
eq,u 


field_.ile 
eq,u 
sheJtr 
eq,u 
.tringJt" 
eq,u 


denormalJt" 
eq,u 


BCD_DIOITS 
WORD_SIZE 
BCD_SIZE 
MINUS 
NAN 
INFINITY 
INDEFINITE 
PSUEDO_IERO 
INVALID 
ZERO 
DENORMAL 
VNNORMAL 
NORMAL 
EXACT 


.t.tu. 
powe" _two 
1'owe" _ten 
bcd_value 
bCd_b\lh 
fr.ction 


lIIord 
pt" 
[b1'-WORD_SIZE] 


.tatus 
- 
WORD_SIZE 


1'awe" _two 
- 
WORD_SIIE 
tb\lte 
1'tr 
I'awe" _ten 
- 
BCD_SIZE 
b••te 
pt" 
bCd_v.lue 


bcd_value 


inter 


0012 
EBOOOO 
0015 
BIDS 
0017 
2EBAB70200 
OCtC 
3CFE 
00IE 
7528 


0029 
C9 
002A 07 
0028 
C20AOO 


002E 
DB7EFO 
0031 
ABOI 
0033 
98 
0034 
74F3 


0036 
ssooeo 
0039 
2B5EF6 
003C 
OB5EF4 
003F 
OB5EF2 
0042 
OB~O 
0045 
75£2 


0048 


0048 
06 
Q04C C8100000 


0068 
8800 


0060 
33CO 
006F 
BB7EOE 


0072 8905 
0074 
815E06 
0077 8907 
0079 
BOFAFC 
007C 7328 


l.ave 
pcp 
1'. 


1'.t 
parln_sizl' 


f.tp 
flT.ettan 
tnt 
.1. MINUS 
flllait 


JZ 
•• 
itJ'roc 


bl. 
OCOOOH 
b •• ward 
ptr 
fraction+b 
b.,ward 
ptr 
f1'action+4 
b •• word 
ptT' 
f".ctI0"+2 
bl. 
w01"d ptr 
fraction 
l'.itJlTOC 


tos_status 
bll ••• 
.1. 
statu,,_tableCbIJ 
.1. 
INVALID 
not_ •••pt~ 


1Il0V 
CI. field_"iI-. 


[flip 
cl.2 


Jl 
."'.ll_"tring 


dec 
c. 
c.p 
[I. BCD_DICITS 


Jbl' 
siz._ok 


Relllovl' valu. 
fiT-aliistack 
for 
I'••• in.tion 


Look .t 
5ill" 
bit 
Insure 
star. 
i. 
don. 


Cen't 
b. 
indefinite 
if 
positivI' 


Hatch .".inst 
Uppl'l" 
16 bits 
0' 
'raction 
COlIlpare 
bits 
63-48 
Bits 
32-47 
lJIust 
be 
•• ro 
Bits 
31-16 
Must 
b•• 
ero 
Bits 
15-0 
lIlust 
b••• 
ro 


I 
Us. 
positive 
value 
onl\l 
sign 
bit 
in 
al 
has 
true 
sign 
0' 
valu. 


Save 
r.turn 
value 
'0" 
lat." 
FO"1Il 0 
constant 
Zero 
d.nor 
•• l 
count 


•.•.a. 
di. 
d.norm.l...,Ptr 
lIlo"d 
ptr 
Cdil ••• 


b •• po",er ...,ptr 
wo"d 
ptr 
Cb.•l ••.• 


dl. 
ZERO 
"•• 1_I.ro 


inter 


0083 
DW'" 
008'8OFAFS 
0088 7240 


008~ 09£8 


008F 


0095 
D9C' 


00'f7 
OFI' 


()()C;'. 
DEC2 


0098 
F71D 


009D 
7528 


OOOF 


OON' 
D'lE8 


0011 
D9C. 


0013 
D9F8 


0015 
D9F4 


0017 
D-.E5 
0089 
'BDf'EO 


OOIC 
£)ltC. 


008£ 
D9CA 


OOCO 80EAFA 
OOC3 A90044 
OOC. 
74C7 


OOCA 
D87EFO 


OOCD DF56FC 
OODO D9EC 


ht,.act 
CIIl' 
41, 
IJN'«)RHAL 
Jll 
no" •• l_value 


f.d, 
.t(1) •• t 
fault 
flt"e,t 


Set 
inte.e.,. 
bit 
in 
"'action 


I For. 
no".,.t1lo1' 
fraction 
in 
51(0) 


Powe.,. 
of 
two 
field 
will 
be 
"o1'o1tiv. 


of 
denOT'lllal 
count 
Put 
d."01'Ill.l 
count 
in 
8T(0) 


Put 
neg_tive 
of 
d.norlll.l 
count 
in 
Illemorij 


Fo,.", 
cor".ct 
powe", 
of 
two 
in 
at< 1) 


OR to 
us. 
word 
ptr 
[,il 
now 


I 
FOT'JIl positive 
d.noT'IIl.1 
count 


fI.ctl 
ft.t 
lIIord 
ptT' 
[dlJ 
fadd, 
.t(21, 
at 


A ,au.do 
IU'O 
will 
.,po1o1l" 
•• 
an 
unnorlllal 
numb • .,.., 
When 
att.mpting 


to 
"o,."'o1lho1 
it. 
the 
".sultant 
frAction 
fi.ld 
1&1111b. 
lo1ro. 
Pe"f'oT'lIIing 


an 
fl.tT'.ct 
on 
rerc 
will 
uteld 
•• IIU"O ellponent 
value. 


Put 
pow.,. 
of 
two 
value 
In 
.t(O> 


Set 
danor •• l 
count 
to 
powe" 
of' 
two 
v.lue 


Wo"d pt" 
[dil 
i. 
not 
u.ed 
b\l conve"t 


intege". 
OK to 
1.,ave 
"unning 
S.t 
".tu"n 
v.lu 
••• 
ving 
the 
sign 
bit 


Put 
le"o 
v.lu. 
into 
lIIe.o"\I 


Th. 
nu.be" 
i •• 
d.no" •• l. 
FXTRACTwill 
not 
lIIo"t 
co""ectlv 
In 
this 


c.... 
To eorraetlV 
•• p• .,..t. 
th ••• 
ponent 
.nd 
fr.etion 
•• 
dd 
• 
fil.d 


con.t.nt 
to 
the 
•• pon.nt 
to 
lu.rant.e 
the 
r •• ult 
i. 
not. 
deno.,._1. 


'141 
fleh 
fp.,. •• 
Fo.,.ce 
".nor 
•• l 
to 
••• 
ll.st 
".p" 
••• nt.ble 


..t.nd.d 
,.•• 1 for •• t 
e.ponent 


This 
l1li111lIIo"t 
co,,"ectlv 
now 


f ••• 
'st.w 
f.ch 
flch 
ou' 
test 
J' 


.t(2) 
d 1. DENORPW..-NORtw.. 
••• 
4400H 
nor.al11._f,.action 


Sea 
if 
the 
f,.action 
i. 
an 
unno,..al 


Sava 
80287 
.tatu. 
In 
CPU AX ,..g 
fo" 
later 


Put 
uponant 
in 
SnO) 


Put 
1. 0 
1nto 
8T(0). 
elponent 
in 
8T<2> 


Return 
nor.al 
.t.tu. 
lIIith 
cOT"ract 
.ign 


S•• 
if 
Ca-C2aO 
i.plinll 
unnor_l 
0" 
NAN 
I 
.Ju.p 
l' 
f"action 
i. 
an 
unnor •• l 


C.lculata 
tha 
d.ci 
•• l 
"lInituda 
••• 
oeiatad 
with 
this 
nUlllba" to 
lIIithln 
ona 
orda". 
This 
.r.,.o.,. 
will 
.1w.\I. 
b. 
inevitable 
due 
to 
round in, 
and 
lost 
p".ci.ion. 
As a 
"esult. 
we will 
d.U.a"atal\l 
'all 


to 
c:ondd.,. 
tha 
LOOIO of' the 
''''.ction 
valu. 
in 
calcul.Ung 
tha 
orde,.. 


Since 
tha 
'"acUon 
will 
.lw.V. 
be 
I 
<- 
F <:;!. 
it. 
LDCilIOw111 not 
ch.ng. 


the 
••• 
ic 
accu ••ac", 
of 
the 
function. 
To gat 
the 
d.ci.al 
o••de" 
of 
•• gnitude 
• 
• i.pl", 
.ultiplV 
tha 
,owa •• of' 
two 
b", LOGIO<:;!) and 
tT'unc.ta 
tha 
re.ult 
to 


J 
an 
intell.". 
, 
nOT'ul_value: 
not-l.uado_z.T'o: 


fstp 
fT'action 
fi.t 
pOlller_two 
fldlll2 


S.v. 
the 
fraction 
field 
foT' lat." 
u•• 


Save 
pOllia,. of 
two 
g.t 
LOOIOC:;!) 
Power_two 
i. 
nOIll .a'e 
to 
u•• 
Fo,.. 
LOOI0Cof 
.Ipon.nt 
of 
nu.be ••) 


An\! T'oundinll 
1Il0d. wi)) 
lIIo,.k h.,.. 


inter 


0007 '8 
0008 
SB46FA 
OODB 21Cl 
0000 
7722 


OODF DF46FC 
00E2 
BBF2 
00E4 
BOEAFE 
OOE? DB6EFO 
OOEA D9FD 
OOEC 
ODD! 
OOEE 
D9FC 
OOFO 0809 
OOF2 9BDD7EFE 
OOF6 F746FEOC40 
OOFB 
7"0 


0108 
DBbEFO 
0108 
DEe, 
0100 
98Ft 
OIOF 
01E6 
0111 
01E6 
0113 
01E6 
0115 
DF46FC 
0118 
DEC2 
OUA 
D9FD 
011e 
0009 


0128 
2£0£36ססoo 
0130 
BOE2FO 
0133 
FFO? 
0135 
E814 


0137 


0131\ 
2EOC94QOOO 


013e 
9BOFEO 
013F •••90001 
0142 
7407 


flllait 
lrlOY 
AJ:.power_ten 
sub 
al. CI 


Jil 
ad Just_r 
•• ul t 


Wait 
'or 
pow.r_ten 
to 
be 
valid 
Oet 
po we" 
of 
ten 
of 
valu. 
For. 
scaling 
factoT' 
n.c •••• 
,." 
in 
•• 
JUlllp if 
nUllbe" 
lIIi 11 not 
Ii t 


hId 
.ov 
ou',.. 
fscale 
ht 
frndint 
fcolJlp 
'st ••• 
h'st 
,n. 


power 
_tll,lO 
st,d. 
d!. 
NORMAL-EXACT 


frAction 


status 
.t.tus.4000H 


C onvert_i 
ntever 


Fo,.. 
full 
value. 
this 
t ••• 
f. 
he.,.e 


COP\! value 
for 
ca_p ••.• 
T.st 
if 
its 
an 
integer 
CoMpa"e 
valu 
•• 
Save 
st.tus 
C3-1 
iMplies 
it 
was 
an 
int.g.r 


,,,, 
adJust_result: 


Seal. 
the 
numb.r 
to 
within 
the 
range 
allow.d 
bV the 
BCD forlllat 
Th. 
scaling 
aperation 
.hould 
produc. 
a 
nUllb.r 
within 
on. 
deci",al 
order 
af 
magnitude 
of 
the 
largest 
d.cimal 
number 
r.pre 
•• ntabl. 
within 
the 
given 
.tring 
width. 


s.t 
initial 
pOIll.r 
of 
t.n 
r.turn 
valu. 
Subtract 
on. 
for 
.ach 
order 
of 
magnitude 
the 
value 
is 
scal.d 
bV 


, 
Scaling 
factor 
i. 
r.turn.d 
as 
•• ,on.nt 
and 
flraction 


get 
frac t i on 


Co",bin. 
flraction. 
For", 
pow.r 
of' 
t.n 
ofl the 
lIIa.illlUlll 
BCD valu. 
to 
fit 
in 
the 
string 


Ind •• 
in 
s1 


T•• t 
the 
adJu.ted 
value 
against 
a 
table 
of' 
•• act 
powers 
of 
t.n. 


The 
cotrlbin.d 
error. 
of 
the 
trlagnitude 
.stiJ"at. 
and 
pow." 
function 
Can 


result 
in 
a 
value 
one 
o"der 
of 
a'lagnitud. 
too 
sliall 
or 
too 
larg. 
to 
fit 


corr.ct1v 
in 
the 
BCD ,..ld. 
To handle 
this 
p"obl."" 
p".test 
the 
adJusted 
valu •• 
if 
it 
i. 
too 
small 
0" 
larg 
•• 
th.n 
adJust 
it 
bV t.n 
and 


adJust 
the 
po•••er 
of 
ten 
valu •. 


pow.r_table; 
Compar. 
against 
e.act 
power 


entrV. 
Use 
the 
ne.t 
entrv 
sine. 
c. 


ha. 
been 
decrement.d 
bV one 


No wait 
ts 
n.c •••• 
rV 


If 
C3 • 
CO • 
0 th.n 
too 
big 


El •• 
adJu.t 
v.lu. 
R.",ov ••• 
act 
flag 
AdJu.t 
pow.r 
of 
t.n 
v.lu. 
Conv.l"t 
the 
value 
to 
• 
BCD int.ller 


T.st 
".lattv 
•• 
i •• 
No ",ait 
i. 
n.e •••• 
r •• 
If' 
CO • 
0 
th.n 
.t (0) 
>- 
101ll.r 
bound 
Conv."t 
the 
value 
to 
a 
BCD tntelleT' 


A••• "t: 
0 <- TOS <- 999.999.999,999.999.999 


j 
The 
TOG number 
..,ill 
b•••• 
cUV 
T'.p" ••• ntabl. 
in 
18 digit 
BCD forMat. 
, 
conv.rt_i 
nt.g 
er: 


<l. 
fmul 
mov 
.h> 
.hl 
ohl 
fUd 
hddp 
f.cale 
Istp 


.i.c. 
.i.1 
.i.l 
st.1 
power _two 
st(:i!). 
st 


f'idiv 
.n. 
ine 
J.p 


con.t10 
dl, 
not 
EXACT 
lIIord ptr 
Cb.J 


shoT't 
in_ranll. 


pOIll.r_tableC.iJ 
.. 
n.100H 
in_"ange 


LaC 
OBJ 


01~3 
B9040F 


01~6 
BBOI00 
01~9 8B7EOC 
01~C BCD8 
01~E 8ECO 
0160 
FC 
0161 
B02B 
0163 
FbC201 


0166 
7402 


01bF 
8A62FO 
0172 
8AC4 
0174 
02E8 


017b 
22C5 
0178 
7'16 


0183 
B030 
01B5 AA 
01ab 43 
01B7 EBlb 


0190 
0430 
0192 
AA 
0193 
8AC4 
0195 
22C5 


0197 
43 


0198 
0430 
019A AA 
0198 
43 
Ot9C 
4E 
0190 
79EA 


019F 
BB7EOA 
01A2 8910 
01A4 8DC2 
CIA6 
E980FE 


S.t 
.hif't 
count 
.nd 
m.sk 
S.t 
inithl 
size 
of 
ASCII 
H.ld 
f'or 
.ign 


G.t 
.ddr 
••• 
of' 
.t.rt 
of' 
ASCII 
.tring 
I 
Cop II d. 
to 
e • 


Set 
ilutoincrement 
mode 


Cle.r 
.ign 
field 
Look 
for 
nell.U.ve 
v.lue 


Bump .trinll 
point.r 
p•• t 
sign 
Turn 
off 
sign 
bit 
W.it 
for 
fbstp 
to 
finish 


.h: 
• 1: 


dx; 
ch: 
cl: 
b,' 
si· 
di' 
d., es: 


BCD bijt. 
value 
in 
USIt 
ASCII 
ch.ract.r 
v.lu 
• 


Return 
v,alue 
BCD m.sk 
- 
Ofh 
BCD shift 
count"" 
4 
ASCII 
string 
field 
width 
BCD field 
indu 


ASCI I 
string 
field 
pointer 
ASCII 
string 
segment 
bOise 


cx,Of04h 
bx,l 
di, 
strinllJtr 


• x, d. 
es •• 
x 


.1. '.' 
d l.tlINUS 
positive_result 


Get 
BCD bl,th 
COPll v.lue 
I 
Get 
high 
order 
digit 
Set 
z.ro 
flag 
Edt 
loop 
if 
le.ding 
non 
zero 
found 


Get 
BCD b1,lte 
oiIgain 


I 
Get 
low 
order 
digit 


Exit 
loop 
if 
non 
zero 
digit 
found 


oou 
ah. bcd_blJte[si] 
C.t 
BCD 
blJte 


oou 
.1. 
.h 
.Or 
.1. 
cl 
C.t 
high 
order 
digit 


enter 
_odd: 


odd 
.1, 
'0' 
Convlu't 
to 
ASCII 
stosb 
Put 
digit 
into 
ASCII 
string 


oou 
OIl. OJh 
C.t 
low 
order 
digit 


on' 
.1, 
ch 
,no 
b. 
Bump field 
5i ze 
counter 


entl'r -even: 


odd 
OIL '0' 
Convert 
to 
ASCI I 
5tosb 
Put 
digit 
into 
ASCI I area 


,no 
b, 
Bump field 
size 
counter 
'OC 
.i 
Go to 
next 
BCD 
byte 
,n. 
digit_loop 


di, 
sizeJtr 
word 
ptr 
CdiJ. 
bx 


.x. 
dx 
eXit...proc 


.h, 
bcd_bl,thlsiJ 
.1. oiIh 
Ill, cl 
.1. ch 
ente,. 
_odd 


Ill. .h 
.1. ch 
enter 
_even 


mov 
.1, '0' 
stosb 
inc 
bx 
Jmp 
short 
eXlt_wlth_vlllul' 


inter 


סס oo 
aOOOOOOOOOOOFO 
3F 


OOOB 00000000000024 


40 
0010 
00000000000059 
40 
0018 
0000000000408F 
40 
0020 
000000000088C3 
40 
0028 
00000000006AFB 
40 
0030 
0000000080942E 
4' 
0038 
0000000000 
1263 


4' 
0040 
0000000084D797 
4' 
0048 
0000000065CDCD 
4' 
0050 
000000205FA002 
42 
0058 
000000E87604837 
42 
0060 
000000A2941 A6D 
42 
0068 
000040E59C30A2 
42 
0070 
0000901ECo48C06 
42 


0078 
00003426F56BOC 
43 
0080 
0080E03779C341 
43 
0088 
OOAOD885573476 
43 
0090 
OOCB4E676DCIAB 
43 


0090 
53 
009E 8808 
OOAO (IE303 
O0A3 2E00870000 
OOAB 58 
OOAQ D9F4 
OOAB C3 


ooAC 09£9 
OOAE C90040000 
0082 
8946FE 


0085 
DE4EFE 


0089 
9BD97EFC 
OOBe BB46FC 
OOBF 25FFF3 
00C2 000004 
OOC5 8746FC 


00C8 09E8 
OoCA 09£0 
Dace 
09Cl 


DaCE D96EFC 


, +, 
2 
3 
4•"7 
8•'0 
11 
12 
13 
14"'" 
17'8,. 
20 
21 


This 
subroutine 
\o/il1 
c:••lcul.t. 
the 
value 
of 
10••• 
1. 


For 
valu •• 
of 
0 <- 
<I. < 
19. 
the 
result 
•••111 
<l1.et. 


All 
B02Bb r*;ister 
••• re 
transparent 
.nd 
the 
v.lue 
i. 
returned 
on 
the 
TOS ••s 
two nUMbers ••• 
pon.nt 
in 
sTC1) 
.nd 
fr.ction 
in 
sT(OL 


Th••• 
pon.nt 
v••lu. 
c••n be 
l ••rge" 
than 
the 
larg •• t 
•• pon.nt 
of 
.In 
•• tend.d 
1" •• 
1 form.t 
numb.r. 
Thr ••• 
t.ck 
.ntri 
•• 
ar. 
u•• d. 


I 
Q.t 
••• ct 
velu. 
R.stor. 
r.gi.t.r 
v.lu. 


I 
S.p.r 
••t. 
pow.r 
.nd 
fr.ction 
OK to 
I •• v. 
f.tr.ct 
running 


Calcul.t. 
the 
value 
using 
the 
•• pon.nti.t. 
instruction. 


Th. 
following 
r.lations 
.1". us.d: 


10**. 
,. 2**(log2<10)*I) 
2*.(I+FI 
- 
2.*1 
* 2.•.•F 
if 
stet) 
• 
1 .nd 
steOl 
- 
2**F 
th.n 
fsc.l. 
produc •• 
2*.Cl+F) 


pu.h 
mo. 
.hI 
.Id 
'0' 
f.tr.ct 
rot 


b. 
b ••••• 
b •• 3 
po",.r_t.bl.Cb.J 
b. 


I 
Tos 
- 
LOQ2(10) 
ForM.t 
st.ck 


I 
S.v. 
power 
of 
10 v.lu. 
TOs,X - 
LOQ2CI0)*P" 
LOQ2CI0**P) 


Q.t 
curr.nt 
control 
word 
Q.t 
control 
llIIord. no w.it 
n.c •••• 
rlj 
M.sll 
off 
curr.nt 
rounding 
fi.ld 
S.t 
round 
to 
n.g.tiv. 
infinIt\! 
Put 
n.w 
control 
word 
in 
"'.morlj 


old 
control 
word 
is 
in 
.I. 
s.t 
TOS - 
-1.0 


Fldl2t 
.nt.r 
mo. 
Fimul 
fstcw 
mo..n' 
or 
.chg 


4.0 
Cbp-2J ••• 
word 
ptr 
Cbp-2J 
word 
ptr 
Cbp-4) 
••• word 
ptr 
Cbp-4J 
••• 
not 
OCOOH 
••• 
0400H 
••• word 
ptr 
Cbp-4J 


fidl 
fchs 
.Id 
fidel&! 


inter 


LDC 
oB" 
LINE 
SOURCE 


OODI 
D'>Fe 
., 
frndint 


00D3 
9946FC 
.3 
mo. 
\lIord 
ptr 
[bp-41. 
ax 


OODb 
D96EFC 
•• 
flch;:w 
word 
ptr 
[bp-4) 


OOD' 
D9CA 
•• 
hch 
at(;?) 
OOD8 
D8E2 
•• 
f.ub 
st. at(2) 
OODD BB46FE 
.7 
.0' 
AI. [bp-2] 


OOEO D9FD 
•• 
fscale 


00E2 
D9FO 
•• 
41211111 


O0E4 
C'1 
70 
I••v. 


00E5 
DEE1 
71 
'sub.,. 


00E7 
DCCS 
" 
flllul 
st, 
.teO) 


00£9 
C3 
73 
rot 
7',. 
getJower 
_10 
.n~p 
7. 
77 
code 
ends 


7. 
.n. 


ASSEMBLY 
COf'PLETE. 
NO WARNINOS. 
NO ERRORS 


T05. 
X. 
ST(l) 
- 
-1. 
0. 
Sn2) 
- 
I 


TOS.F 
• 
X-I: 
0 <- T05 < 
1. 0 
R•• tore 
powe •• of' 
ten 
ToS 
• 
F/2: 
0 <- 
T09 
< O. 5 


J 
TOS - 
2 •• 
<F/2) 
- 
1. 0 
R •• tore 
stac 
k 


I 
Fo"m 
2*.CF/2) 


FOl'1Il 
2 •• F 


OK to 
l •• ve 
f.uI 
running 


SERIES-Ill 
iAl'X2B6 
""CRD 
ASSEt1BLER 
XlOe 
ASSEMBLY 
OF 
MODULE TOS_STATUS 


OlhJECT I10DULE PLACED IN 
: F3: ToSST. 08~ 


ASSEMBLER 
INVOKED 
BV: 
1\81"1296.96: 
F3: 
ToSST. 
AP2 


סס oo 


0000 
D9ES 


0002 
'SDFEO 


000' 
SAC4 


0007 
250740 
OOOA COEC03 
OOOD OAe4 
OOOF 1400 
0011 
C3 


1 +1 
_titteC"Deterllllne 
ToS 
,,_gister 
contents") 
, 
. 


3•••7•• 
10 
11I. 
13 
1•••I. 
17I. 
"'0,."'3,.,.,. 
27,.,. 
30 


This 
subroutine 
will 
return 
a 
va1u. 
trom 
0-15 
in 
AX corresponding 


to 
the 
contents 
at 
90297 
TDS. 
All 
registers 
are 
tr.nsp.rent 
.nd 
no 
errors 
are 
possible. 
The 
return 
value 
cOT'T'esponds 
to 
c3, c2. cl, 
cO 


at 
FXAI'I instruction. 


f.a", 
tStSlll 
mo..n. 
.hr 
or.0' 
r.t 


.. 
al •• h 
a.,4007h 
ah,3 
aI, 
ah 
.h.O 


get 
T'egisteT' 
contents 
status 


get 
status 
Put 
bit 
10-8 
into 
bits 
2-0 


l'I.sl1 
out 
bits 
c3, c2, cl, 
cO 


Put 
bit 
c3 
into 
bit 
11 
Put 
c3 
into 
bit 
3 


Clear 
return 
value 


Three separate modules implement the conversion. Most of the work of the conversion is done in the 
module FLOATING_TO~SCII. 
The other modules are provided separately, because they have a 
more general use. One of them, GET_POWER_IO, is also used by the ASCII to floating-point conver- 
sion routine. The other small module, TOS_ST ATUS, will identify what, if anything, is in the top of 
the numeric register stack. 


inter 


Care is taken inside the function to avoid generating exceptions. Any possible numeric value will be 
accepted. The only exceptions possible would occur if insufficient space exists on the numeric register 
stack. 


The value passed in the numeric stack is checked for existence, type (NaN or infinity), and status 
(unnormal, denormal, zero, sign). The string size is tested for a minimum and maximum value. If the 
top of the register stack is empty, or the string size is too small, the function will return with an error 
code. 


The functions demonstrate the operation of several numeric instructions, different data types, and 
precision control. Shown are instructions for automatic conversion to BCD, calculating the value of 10 
raised to an integer value, establishing and maintaining concurrency, data synchronization, and use of 
directed rounding on the NPX. 


Without the extended precision data type and built-in exponential function, the double precision accuracy 
of this function could not be attained with the size and speed of the shown example. 


The function relies on the numeric BCD data type for conversion from binary floating-point to decimal. 
It is not difficult to unpack the BCD digits into separate ASCII decimal digits. The major work involves 
scaling the floating-point value to the comparatively limited range of BCD values. To print a 9-digit 
result requires accurately scaling the given value to an integer between 10' and 109• For example, the 
number +0.123456789 
requires a scaling factor of 109 to produce the value +123456789.0, 
which 
can be stored in 9 BCD digits. The scale factor must be an exact power of 10 to avoid to changing any 
of the printed digit values. 


These routines should exactly convert all values exactly representable in decimal in the field size given. 
Integer values that fit in the given string size will not be scaled, but directly stored into the BCD form. 
Noninteger values exactly representable in decimal within the string size limits will also be exactly 
converted. For example, 0.125 is exactly representable in binary or decimal. To convert this floating- 
point value to decimal, the scaling factor will be 1000, resulting in 125. When scaling a value, the 
function must keep track of where the decimal point lies in the final decimal value. 


Converting a floating-point number to decimal ASCII takes three major steps: identifying the magni- 
tude of the number, scaling it for the BCD data type, and converting the BCD data type to a decimal 
ASCII string. 


Identifying the magnitude of the result requires finding the value X such that the number is repre- 
sented by 1*10x, where 1.0 <= 
I < 10.0. Scaling the number requires multiplying it by a scaling 
factor lOS, so that the result is an integer requiring no more decimal digits than provided for in the 
ASCII string. 


Once scaled, the numeric rounding modes and BCD conversion put the number in a form easy to 
convert to decimal ASCII by host software. 


Implementing 
each of these three steps requires 
attention 
to detail. To begin with, not all floating-point 


values have a numeric 
meaning. 
Values such as infinity, 
indefinite, 
or Not a Number 
(NaN) 
may be 


encountered 
by the conversion routine. The conversion routine should recognize these values and identify 


them uniquely. 


Special 
cases of numeric 
values also exist. Denormals, 
unnormals, 
and pseudo zero all have a numeric 


value but should be recognized, 
because 
all of them indicate 
that precision 
was lost during some earlier 


calculations. 


Once it has been determined 
that the number 
has a numeric 
value, and it is normalized 
setting 
appro- 


priate 
unnormal 
flags, the value must be scaled to the BCD range. 


To scale the number, 
its magnitude 
must be determined. 
It is sufficient 
to calculate 
the magnitude 
to 


an accuracy 
of I unit, or within a factor 
of 10 of the given value. After scaling 
the number, 
a check 


will be made 
to see if the result 
falls in the range 
expected. 
If not, the result 
can be adjusted 
one 
decimal 
order 
of magnitude 
up or down. The adjustment 
test after 
the scaling 
is necessary 
due to 


inevitable 
inaccuracies 
in the scaling value. 


Because the magnitude 
estimate 
need only be close, a fast technique 
is used. The magnitude 
is estimated 
by multiplying 
the power of 2, the unbiased 
floating-point 
exponent, 
associated 
with the number 
by 
log,02. Rounding 
the result to an integer 
will produce 
an estimate 
of sufficient 
accuracy. 
Ignoring 
the 


fraction 
value can introduce 
a maximum 
error of 0.32 in the result. 


Using the magnitude 
of the value and size of the number 
string, 
the scaling 
factor 
can be calculated. 
Calculating 
the scaling factor 
is the most inaccurate 
operation 
of the conversion 
process. 
The relation 


IOx=2**(X*log,lO) 
is used for this function. 
The exponentiate 
instruction 
(F2XM1) 
will be used. 


Due to restrictions 
on the range of values allowed by the F2XMl 
instruction, 
the power of 2 value will 


be split into integer 
and fraction 
components. 
The relation 
2**(1 + F) = 
2**1 * 2**F allows using 


the FSCALE 
instruction 
to recombine 
the 2**F value, calculated 
through 
F2XM1, 
and the 2**1 part. 


The inaccuracy 
of these operations 
arises because 
of the trailing 
zeros placed 
into the fraction 
value 


when stripping 
off the integer valued bits. For each integer valued bit in the power of 2 value separated 


from the fraction 
bits, one bit of precision 
is lost in the fraction 
field due to the zero fill occurring 
in 


the least significant 
bits. 


Up to 14 bits may be lost in the fraction 
because 
the largest 
allowed 
floating 
point exponent 
value is 


2'4_1. 


The 
fraction 
and exponent 
fields 
of the number 
are separated 
to avoid 
underflow 
and overflow 
in 


calculating 
the scaling 
values. For example, 
to scale 
10-4932to 108 requires 
a scaling 
factor 
of 104950, 


which cannot 
be represented 
by the NPX. 


By separating 
the exponent 
and fraction, 
the scaling operation 
involves adding 
the exponents 
separate 


from multiplying 
the fractions. 
The exponent 
arithmetic 
will involve small integers, 
all easily repre- 


sented by the NPX. 


It is possible that the power function (GeLPoweclO) 
could produce a scaling value such that it forms 
a scaled result larger than the ASCII field could allow. For example, scaling 9.9999999999999999 X 
104900 by 1.00000000000000010 X 10-4883 
would produce 1.00000000000000009 X 10". The scale 
factor is within the accuracy of the NPX and the result is within the conversion accuracy, but it cannot 
be represented in BCD format. This is why there is a post-scaling test on the magnitude of the result. 
The result can be multiplied or divided by 10, depending on whether the result was too small or too 
large, respectively. 


For maximum flexibility in output formats, the position of the decimal point is indicated by a binary 
integer called the power value. If the power value is zero, then the decimal point is assumed to be at 
the right of the rightmost digit. Power values greater than zero indicate how many trailing zeros are 
not shown. For each unit below zero, move the decimal point to the left in the string. 


The last step of the conversion is storing the result in BCD and indicating where the decimal point lies. 
The BCD string is then unpacked into ASCII decimal characters. The ASCII sign is set corresponding 
to the sign of the original value. 


The 80287 instruction set does not provide a complete set of trigonometric functions that can be used 
directly in calculations. Rather, the basic building blocks for implementing trigonometric functions are 
provided by the FPTAN and FPREM instructions. The example in figure 4-7 shows how three trigon- 
ometric functions (sine, cosine, and tangent) can be implementing using the 80287. All three functions 
accept a valid angle argument 
between 
- 262 and +262• These functions may be called from 
PL/M-286, Pascal-286, FORTRAN-286, or ASM286 routines. 


These trigonometric functions use the partial tangent instruction together with trigonometric identities 
to calculate the result. They are accurate to within 16 units of the low 4 bits of an extended precision 
value. The functions are coded for speed and small size, with tradeoffs available for greater accuracy. 


These trigonometric functions use the FPTAN instruction of the NPX. FPTAN requires that the angle 
argument be between 0 and 1r / 4 radians, 0 to 45 degrees. The FPREM instruction is used to reduce 
the argument down to this range. The low three quotient bits set by FPREM identify which octant the 
original angle was in. 


One FPREM instruction iteration can reduce angles of 1018 radians or less in magnitude to 1r / 4!Larger 
values can be reduced, but the meaning of the result is questionable, because any errors in the least 
significant bits of that value represent changes of 45 degrees or more in the reduced angle. 


To save code space, the cosine function uses most of the sine function code. The relation sin ( IA I + 
11'/2) = cos(A) is used to convert the cosine argument into a sine argument. Adding 11'/2 to the angle 
is performed by adding 0102 to the FPREM quotient bits identifying the argument's octant. 


It would be very inaccurate to add 11'/2 to the cosine argument if it was very much different from 


11'/2. 


Depending on which octant the argument falls in, a different relation will be used in the sine and 
tangent functions. The program listings show which relations are used. 


For the tangent function, the ratio produced by FPTAN will be directly evaluated. The sine function 
will use either a sine or cosine relation depending on which octant the angle fell into. On exit, these 
functions will normally leave a divide instruction in progress to maintain concurrency. 


If the input angles are of a restricted range, such as from a to 45 degrees, then considerable optimiza- 
tion is possible since full angle reduction and octant identification is not necessary. 


All three functions begin by looking at the value given to them. Not a Number (NaN), infinity, or 
empty registers must be specially treated. Unnormals need to be converted to normal values before the 
FPTAN instruction will work correctly. Denormals will be converted to very small unnormals that do 
work correctly for the FPTAN instruction. The sign of the angle is saved to control the sign of the 
result. 


Within the functions, close attention was paid to maintain concurrent execution of the 80287 and host. 
The concurrent execution will effectively hide the execution time of the decision logic used in the 
program. 


SERIES-III 
iAPX286 
KACRO ASSEMBLERXl08 
ASSEMBLY OF MODULE TRIO 
FUNCTIONS 


OBJECT 
HODULE 
PLACED 
IN 
: F3: TRIO. 
aB'" 
- 
ASSEMBLER INVOKED BY: 
A5,",286.86: 
F3: TRIO. AP2 


0000 
35C2bB21A2DAOF 
C9FE3F 


000... 
OOOOCOFF 


1 +1 
•3•, 
6 
7 
8 
9 


10 
11I. 
13I'" 
16 


0018 
D9E~ 
001061 98DFEO 
OOlD 2ED82EOOOO 
0022 
8101 
0024 
9E 
002' 
72b3 


,. 
20 
21 
22 
23 
242. 
2b 
27 
2a2. 
30 
31 
32 
33 
34 
'" 
3b 
37 
3a 
3' 
40 
41 
42 
43 
44 
4~ 
+1 
4b 
47 
4a 
4..0 
"''2 
'3•• 
""'b"'.a•• 
bO 
bl 
b2 
b3 
b4b. 
bb 
b7 
bab. 
70 
71 
72 +1 
73 
74 
'" 
76 
77 
7a 
7. 
ao 
al 
a2 
a3 
a4a. 
ab 
a7 
aaa. 
.0., 
92.3'4••'b 
.7 
.a•• 
100 
101 
102 
103 
104 
10. 
lOb 
107 
loa 
109 
110 
111 
112 


Thil 
lubroutine 
calculatel 
th, 
line 
01" 
COlin, 
of' 
the 
angle. 
given 
in 
radianl 
Th. 
angle 
il 
in 
5T(0). 
the 
return.d 
value 
will 
be 
in 
5TeOL 
Th. 
relult 
11 
accurate 
to 
within 
7 
units 
of' 
the 
l'a"t 
lignif'icant 
three 
bitl 
of 
the 
NPX •• tended 
real 
format. 
The 
PU1/Bb 
def'inition 
i,,: 


line: 
procedure 
(angl.> 
real 
e.ternall 


declare 
angle 
r.all 
end 
line; 


velid 
unnor",al 
le"s 
than 
2*ttb2 
in 
lIlagnitude 


tero 
denortllal 
val 
id 
01" 
unnormal 
greater 
than 
2tt*b2 


infinitltl 
NAN 
emptv 


correct 
".lue 
o or 
1 
correct 
deno"mal 


inddinih 
indefinite 
NAN 
emptv 


This 
f'unction 
is 
based 
on 
the 
NPX fptan 
instruction. 
The 
fptan 
instruction 
will 
anI", 
work 
with 
an 
angle 
of 
from 
0 
to 
PI/4. 
With 
this 
instruction. 
the 
line 
or 
COline 
of 
angles 
from 
0 
to 
PI/4 
can 
be 
accuratel", 
calculated. 
The 
techniq,ue 
used 
bV thil 
routine 
can 
calculate 
a 
general 


line 
or 
COline 
bV uling 
one 
of 
four 
pO.libl. 
ope"ationl; 


octant 
"in. 
COline 


S" 
2 


S-4 
3 


S_2 
-1*1 
S_3 
-1*4 
-5*1 
-1*2 


-5*4 
-1*3 


-5*2 
1 


-5*3 
4 


I 
Angle 
to 
line 
function 
i" 
• 
t.ro 
or 
unnor",al. 
, 
"ine 
lero_unnormal 


, 
I 
Angle 
i" 
an 
unnor~al. 
, 
ent.r 
_"ine_norlllill 
i Ie; 


call 
norlllalile_value 


J"' 
"hort 
.nter 
_"ine 


cosine 
proc 


f.am 
fit".., 
A. 


fld 
pi_lluarter 


"OV 
c1.1 
"ahf 
J' 
funnltlJarllmeter 


Ang Ie 
i. 
unnorlllal. 
normal. 


f.ch 
JP- 
ent.r 
_"ine 


Angle ,. An 
unnor.lIl 


htp 
Ite 
1) 
Jn, 
enter 
_"ine_noretal 
i Ie 


Angle ,. A lero. 
co,,(O) - 1.0 


Look 
at 
the 
value 


Store 
"tatu" 
val ue 
Setup 
for 
angle 
reduce 


I 
Signal 
co"ine 
function 
ZF • 
C3. 
PF 
• 
C2. 
CF. 
CO 
Jump 
if' 
parameter 
i" 


emptv. 
NAN. or 
infinitv 


0034 
09E, 
0036 
9BOFEO 
0039 
2EOB2EOOOO 
oo3E 
9E 
003F 
7249 


005F 
BOC740 


0062 
3000 


0064 
DODO 
0066 
32F8 


0071 
09E4 
0073 
91 
0074 
9BDFEO 


0077 
91 
0078 
0009 
007" 
FOC,40 
0070 
7'14 


All 
wo"k 
is 
done 
as 
a 
sine 
function. 
B\I adding 
PI/;!: 
to 
the 
angle 


a 
cosine 
is 
con"'e"ted 
to 
II .ine. 
Of 
cou"se 
the 
angle 
addition 
i. 
not 
done 
to 
the 
argument 
but 
r~ther 
to 
the 
p"og"lIm 
logic 
control 
..,.lue 
•. 


'Iaftl 
fstsw 
al 


fld 
pi_Itua"ter 
sahf 
Je 
funn\lJlII".mltte" 


I 
Look 
at 
thlt 
pa"aftletlt" 


Looll 
at 
f.a 
•• 
tatus 
get 
PI/4 
value 


CF - 
CO, PF - 
C2. 
ZF - 
C3 


JUlIlp if 
empt\l' 
NAN. 0" 
infinit\l 


I 
sT(1) 
• 
PI/4. 
st(O) 
angle 
I 
Signal 
sine 


; 
JUlIIp i' 
t e"o 
or 
unno"m.l 


sT(O) 
is 
eithe" 
a 
nO"lIIal 
0" 
deno"lIlal 
"'alult. 
Both 
will 
war II. 


U.e 
the 
fp"em 
inst"uction 
to 
accuratel\l 
"educe 
the 
".nge 
of 
the 
gi..,en 


.ngle 
to 
within 
0 .nd 
PI/4 
in 
magnitude. 
If 
fp"em 
c.nnot 
reduce 
the 


angle 
in 
one 
shot. 
the 
.ngle 
i. 
too 
big 
to 
be 
me.ningful, 
> 2**62 


radian.. 
An\l roundoff 
er"o" 
in 
thlt 
calculation 
of 
the 
angl* 
gi..,en 
could 
completel\l 
change 
the 
"e.ult 
of 
this 
function. 
It 
is 
.afe.t 
to 


call 
thi. 
vel' \I "are 
ca.e 
an e"ror. 


Reduce 
angle 


Note 
that 
fp"e. 
will 
fo"ce 
a 


denorlllal 
to 
a 
..,er\l 
lIlIIall 
unnorlllal 


Fptan 
of 
• 
ve"v 
1I11l1l11unno"",al 


will 
be 
the 
.ame 
ver\l 
.ftllIll 


unnorlll.l, 
which 
ill 
cor"eet. 


S."'e 
old 
.tatus 
in 
BX 
Checll 
if 
reduction 
wa. 
complete 


Quotient 
in 
CO.C3. Cl 
Put 
new 
statu. 
in 
bl 
.in(2-N*PI+I) 
., 
.in(.) 
Ichg 
al. 
bl 


test 
bh. high(IIII1.11 cond2) 


Jnl 
ang le_too_b 
ig 


Fo"c. 
the 
a"gument 
pOllitive 


I 
condl 
bit 
in 
bl 
holdll 
the 
sign 


Te.t 
for 
sine 
0" 
cosine 
function 
JUftlp if 
sine 
function 


Turn 
off 
sign 
of 
a"gument 


Prepa"e 
to 
add 
010 
to 
CO. C3. Cl 
status 
value 
in 
al 


I 
Set 
bus\! 
bit 
so 
car,,\! 
out 
fro. 
C3 lIIill 
go 
into 
thlt 
ca"rv 
fll11g 


Eltraet 
ca"r" 
fl.~g 
Put 
ca"ry 
flag 
in 
low 
bit 


I 
Add carr" 
to 
CO not 
changing 
Cl 
flag 


bh. high (ilia. II cond31 
Ill. 0 
Ill. 1 


bh •• 
1 


fht 
IChg 
f.t.w 
Ichg 
flltp 
te.t 
,n, 
.te 1) 
ch, high (ma.1I 
cond3) 
s i ne_argu.ent_lero 


inter 


0097 
DED9 
0099 
2ED9060AOO 
009E 98 
009F C3 


00A4 
oeC8 


00A6 
09C'1 
00A8 
Deca 


OOAA 
DEe 
1 


OOAC 
D9FA 


DOAf 80E701 
00131 80E402 
0084 
OAFe 
OoBb 
7A02 


.07 
.08.0. 
"0 
.11". 
"3". 
'15.,. 
.,7 
"8 
.19 
220 
221 
22. 
223 
22 • 
• 25 
22. 
227 
228 
22 • 
• 30 
'31.3. 
'33 
23' 
235 
.3• 
• 37 
.38 
.39 
"0 
2"••• 
243 
••• 
240 
2•• 
•• 7 
2'8 
2•• 
250 
251 
25. 
253 
25' 
.55 
25. 
257 
258 
259 
•• 0 
2., 
2'2 
2.3 
2•• 
2'5 
2••"7 
2.8 
2•• 
270 
271 
272 
273 
27. 
275 
276 
277 
.78 
.79 
280 
281 
282 
283 
28. 
2B5 
2B. 
287 
2BB 
289 
290 
291 
292 
293••• 
•95 
296 +1 
297 
"B••• 
300 


test 
bll. 
highCma,k 
cond3 
+ 
mask 
tond!); 
Look 
at 
octant 
an!ille 
fell 
into 


JPO 
X_numerator 
Caleul.tlt 
cosine 
'or 
octants 
1,2.5.6 


C.lcul.~t. 
the 
5lnlt 
of 
tn. 
argu"'ltnt 
sln(A) 
- 
tan(Al/sqrt<1+tan(A)**2) 
sinCA) 
• 
Y/sq,rtex*x 
+ 
V*V) 


fcompp 
fid 
lnd.flnit. 
Fwalt 
rot 


Calculate 
the 
cosine 
of 
the 
argument 


cos(A) 
= 
lIsqrt( 
1+tan(A)**2) 
if 
tardAJ 
'"' Y/X 
th.n 


cosCA) 
= 
X/sqrt(X*X 
+ 
V*V) 


fmul 
!tt, steC) 
flCh 
fmul 
st, 
steO) 
f.dd 
fSlrrt 


bll, 
h1gh 
(mask 
condO) 


ah,high(mask 
condl> 


bh,ah 
positive_sine 


Look 
at 
thE' 
fprE'm 
CO 
flag 
Look 
at 
thE' 
ham 
Cl 
flag 
Even 
number 
of 
flilg'i 
cancel 
Two negative~ 
make 
a 
positive 


This 
funct10n 
101111 c.lculate 
the 
tangent 
of 
an 
angle 


The 
angle. 
In 
radiOln~ 
is 
pOIssed 
1n 
ST(OL 
the 
tangent 
1~ 
returned 
1n 
ST(O) 
The 
tangent 
15 
calculated 
to 
an 
accurac\I 
of 
4 
unit5 
in 
the 


OOBD DllE5 
OOBF 
llBDFEO 


00C2 
2EOB2EOOOO 


OOC7 
llE 


OOCB 72CO 


OOCE OWB 


0000 
113 


0001 
llBOFEO 


OOD4 113 
OOD5 FoC704 
oooe 
7'BO 


tengent: 
procedure 
(angle) 
reel 
ellternel; 


declare 
angle 
relill 


end 
tllngent; 


valid 
0'" 
unnorlllal 
< 2e.02 
in 
lIlegnitude 
o 
denor •• l 
valid 
or 
unnor.el 
:> 2e.02 
in 
.egnitude 
NIIN 
lnfinitv 
e.ptV 


correct 
value 
o 
correct 
denor.al 
indefinite 
NAN 
inde'inih 
UlptV 


f ••• 
fstslll 
a. 
fld 
pi_4uarter 
s.hf 
JC 
funnfwlJllrllmete" 


Look 
at 
the 
paraflleter 


get 
fll •• 
status 
get 
PI/4 
CF 
• 
CO. 
PF 
• 
C2. 
IF· 
C3 


Angle 
is 
either 
an 
no"mlll 
or 
deno"mal. 


Reduce 
the 
angle 
to 
t"'e 
range 
-PI/4 
< result 
< PI/4. 


If 
fp"elll 
cannot 
perfo"m 
this 
operation 
in 
one 
trv. 
the 
magnitude 
of 
the 


anllie 
lIlust 
be > 2e.02. 
Such 
en 
lingle 
is 
so 
le"lIe 
that 
an", 
"ounding 


erro"s 
could 
•••ake 
a 
ve"v 
la"lIe 
difference 
in 
the 
reduced 
anille. 


It 
is 
sefest 
to 
clill 
t"'is 
verfwl "a"e 
ca.e 
an 
er"o". 


.Chll 
a •• b. 
test 
bh. high(Rlask 
cond2) 


Jnz 
angle_too_big 


inter 


OOEF D9E4 
OOFI 
91 
OOF2 
9BDFEO 
OOF'S 91 
OOFb DDD9 
OOFB F6C540 
OOFB 7515 


011F 
D9El 
0121 
D9F4 
0123 
D9EB 
0125 DCt1 
0127 
DEE9 
0129 
D9FD 
0128 
DDD9 
0120 
2EDB2EOOOO 
0132 
09C9 
0134 
C3 


fht 
,chll 
fst.w 
JChll 
htp 
t.st 
In, 
.. 
<lX.c. 
st( 
1) 


eh. hillh(lusk 
(ond3> 


t""_lltro 


1Il0V 
.-1. bh 
Oet 
•• cop", 
of 
'pr 
••• 
C3 fl.g 
.nd 
•••••• 
k candl 
+ high(IIl •• k cond3)1 
E••• 
in. 
'pr 
•• 
C3 flag 
and 
FXAM Cl 
'hg 
test 
bh. 
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Appendix 
A 
Machine Instruction 
Encodmg And Decodmg 


Machine 
instructions 
for the 80287 come in one of five different 
forms as shown in table A-I. 
In all 
cases, the instructions 
are at least two bytes long and begin with the bit pattern 
11011 B, which identi- 
fies the ESCAPE 
class of instructions. 
Instructions 
that reference 
memory operands 
are encoded 
much 
like similar 
CPU 
instructions, 
because 
all of the CPU 
memory-addressing 
modes 
may be used with 
ESCAPE 
instructions. 


Note that several of the processor 
control instructions 
(see table 2-11 in Chapter 
Two) may be preceded 
by an assembler-generated 
CPU 
WAIT 
instruction 
(encoding: 
10011011B) 
if they are programmed 
using the WAIT 
form of their mnemonics. 
The ASM286 
assembler 
inserts 
a WAIT 
instruction 
only 
before 
these specific processor 
control instructions-all 
of the numeric 
instructions 
are automatically 
synchronized 
by the 80286 CPU and an explicit 
WAIT 
instruction, 
though 
allowed, is not necessary. 


Lower-Addressed 
Byte 
Higher-Addressed 
Byte 
0, 1, or 2 bytes 


1 
1 
0 
1 
1 
OP-A 
1 
MOD 
1 
OP-S 
R/M 
DISPLACEMENT 


1 
1 
0 
1 
1 
FORMAT 
OP-AMOD 
OP-S 
R/M 
DISPLACEMENT 


1 
1 
0 
1 
1 
R 
P 
OP-A 1 
1 
OP-S 
REG 


1 
1 
0 
1 
1 
0 
0 
1 
1 
1 
1 
OP 


1 
1 
0 
1 
1 
0 
1 
1 
1 
1 
1 
OP 


NOTES: 


('lMemory transfers, 
including applicable 
processor 
control instructions; 
0, 1, or 2 displacement 
bytes may 
follow. 


(2lMemory arithmetic and comparison 
instructions; 
0, 1, or 2 displacement 
bytes may follow. 


(3lStack arithmetic and comparison 
instructions. 


(4lConstant, transcendental, 
some arithmetic instructions. 


(5lProcessor control instructions 
that do not reference 
memory. 


OP, OP-A, OP-S: Instruction opcode, 
possibly split into two fields. 


MOD: Same as 80286 CPU mode field. 


R/M: Same as 80286 CPU register/memory 
field. 


FORMAT: Defines memory operand 


00 = short real 
01 = short integer 
10 = long real 
11 = word integer 


R: 0 = return result to stack top 


1 = return result to other register 


P: 0 = do not pop stack 


1 = pop stack after operation 


1st Byte 
ASM286 
Instruction 
2nd Byte 
Bytes 
3, 4 
Format 
Hex 
Binary 


DC 
1101 
1100 
1101 
1REG 
*(3) 


DC 
1101 
1100 
1110 
OREG 
FSUB 
ST(i),ST 
DC 
1101 
1100 
1110 
1REG 
FSUBR 
ST(i),ST 
DC 
1101 
1100 
1111 
OREG 
FDIV 
ST(i),ST 
DC 
1101 
1100 
1111 
1REG 
FDIVR 
ST(I),ST 
DO 
1101 
1101 
MODOO OR/M 
(disp-Io),(disp-hi) 
FLD 
long-real 
DO 
1101 
1101 
MODOO 1R/M 
reserved 


DO 
1101 
1101 
MOD01 
OR/M 
(disp-Io),(disp-hi) 
FST 
long-real 
DO 
1101 
1101 
MOD01 
1R/M 
(disp-Io),(disp-hi) 
FSTP 
long-real 
DO 
1101 
1101 
MOD10 
OR/M 
(disp-Io),(disp-hi) 
FRSTOR 
94-bytes 
DO 
1101 
1101 
MOD10 
1R/M 
(disp-Io),(disp-hi) 
reserved 


DO 
1101 
1101 
MOD11 
OR/M 
(disp-Io),(disp-hi) 
FSAVE 
94-bytes 
DO 
1101 
1101 
MOD11 
1R/M 
(disp-Io),(disp-hi) 
FSTSW 
2-bytes 
DO 
1101 
1101 
1100 
OREG 
FFREE 
ST(i) 
DO 
1101 
1101 
1100 
1REG 
*(4) 
DO 
1101 
1101 
1101 
OREG 
FST 
ST(i) 
DO 
1101 
1101 
1101 
1REG 
FSTP 
ST(i) 
DO 
1101 
1101 
111- 
reserved 


DE 
1101 
1110 
MODOO OR/M 
(disp-Io),(disp-hi) 
FIADD 
word-integer 
DE 
n01 
1110 
MODOO 1R/M 
(disp-Io),(disp-hi) 
FIMUL 
word-integer 
DE 
1101 
1110 
MOD01 
OR/M 
(disp-Io),(disp-hi) 
FICOM 
word-integer 
DE 
1101 
1110 
MOD01 
1R/M 
(disp-Io),(disp-hi) 
FICOMP 
word-integer 
DE 
1101 
1110 
MOD10 
OR/M 
(disp-Io),(disp-hi) 
FISUB 
word-integer 
DE 
1101 
1110 
MOD10 
1R/M 
(disp-Io),(disp-hi) 
FISUBR 
word-integer 
DE 
1101 
1110 
MOD11 
OR/M 
(disp-Io),(disp-hi) 
FIDIV 
word-integer 
DE 
1101 
1110 
MOD11 
1R/M 
(disp-Io),(disp-hi) 
FIDIVR 
word-integer 
DE 
1101 
1110 
1100 
OREG 
FADDP 
ST(i),ST 
DE 
1101 
1110 
1100 
1REG 
FMULP 
ST(I),ST 
DE 
1101 
1110 
1101 
0--- 
*(5) 


DE 
1101 
1110 
1101 
1000 
reserved 


DE 
1101 
1110 
1101 
1001 
FCOMPP 


DE 
1101 
1110 
1101 
101- 
reserved 


DE 
1101 
1110 
1101 
11-- 
reserved 


DE 
1101 
1110 
1110 
OREG 
FSUBP 
ST(i),ST 
DE 
1101 
1110 
1110 
1REG 
FSUBRP 
ST(i),ST 
DE 
1101 
1110 
1111 
OREG 
FDIVP 
ST(i),ST 
DE 
1101 
1110 
1111 
1REG 
FDIVRP 
ST(i),ST 
OF 
1101 
1111 
MODOO OR/M 
(disp-Io),(disp-hi) 
FILD 
word-integer 
OF 
1101 
1111 
MODOO 1R/M 
(disp-Io),(disp-hi) 
reserved 


OF 
1101 
1111 
MOD01 
OR/M 
(disp-Io),(disp-hi) 
FIST 
word-integer 
OF 
1101 
1111 
MOD01 
1R/M 
(disp-Io),(disp-hi) 
FISTP 
word-integer 
OF 
1101 
1111 
MOD10 
OR/M 
(disp-Io),(disp-hi) 
FBLD 
packed-decimal 


OF 
1101 
1111 
MOD10 
1R/M 
(disp-Io),(disp-hi) 
FILD 
long-integer 
OF 
1101 
1111 
MOD11 
OR/M 
(disp-Io),(disp-hi) 
FBSTP 
packed-decimal 
OF 
1101 
1111 
MOD11 
1R/M 
(disp-Io),(disp-hi) 
FISTP 
long-integer 
OF 
1101 
1111 
1100 
OREG 
*(6) 
OF 
1101 
1111 
1100 
1REG 
*(7) 
OF 
1101 
1111 
1101 
OREG 
*(8) 


OF 
1101 
1111 
1101 
1REG 
*(9) 


OF 
1101 
1111 
1110 
000 
FSTSWAX 
OF 
1101 
1111 
1111 
XXX 
reserved 


inter 


1st Byte 


2nd Byte 
Bytes 3,4 
ASM286 
Instruction 


Hex 
Binary 


,- 
Format 


D9 
1101 
1001 
1110 
1101 
FLDLN2 


D9 
1101 
1001 
1110 
1110 
FLDZ 


D9 
1101 
1001 
1110 
1111 
reserved 


D9 
1101 
1001 
1111 
0000 
, 
F2XMl 


D9 
1101 
1001 
1111 
0001 
FYL2X 


D9 
1101 
1001 
1111 
0010 
, 


FPTAN 


D9 
1101 
1001 
1111 
0011 
FPATAN 


D9 
1101 
1001 
1111 
0100 
FXTRACT 


D9 
1101 
1001 
1111 
0101 
reserved 


D9 
1101 
1001 
1111 
0110 
FDECSTP 


D9 
1101 
1001 
1111 
0111 
FINCSTP 


D9 
1101 
1001 
1111 
1000 
FPREM 


D9 
1101 
1001 
1111 
1001 
FYL2XPl 


D9 
1101 
1001 
1111 
1010 
, 
FSQRT 


D9 
1101 
1001 
1111 
1011 
reserved 


D9 
1101 
1001 
1111 
1100 
FRNDINT 


D9 
1101 
1001 
1111 
1101 
FSCALE 


D9 
1101 
1001 
1111 
111- 
reserved 


DA 
1101 
1010 
MODOO OR/M 
(disp-Io),(disp-hi) 
FIADD 
Short-integer 
DA 
1101 
1010 
MODOO lR/M 
(disp-Io),(disp-hi) 
FIMUL 
Short-integer 
DA 
1101 
1010 
MODOl 
OR/M 
(disp-Io),(disp-hi) 
FICOM 
Short-integer 
DA 
1101 
1010 
MODOl 
lR/M 
(disp-Io),(disp-hi) 
FICOMP 
Short-integer 
DA 
1101 
1010 
MOD10 
OR/M 
(disp-Io),(disp-hi) 
FISUB 
short-integer 
DA 
1101 
1010 
MOD10 
lR/M 
(disp-Io),(disp-hi) 
FISUBR 
Short-integer 
DA 
1101 
1010 
MODll 
OR/M 
(disp-Io),(disp-hi) 
FIDIV 
short-integer 
DA 
1101 
1010 
MODll 
lR/M 
(disp-Io),(disp-hi) 
FIDIVR 
Short-integer 
DA 
1101 
1010 
11-- 
---- 
reserved 


DB 
1101 
1011 
MODOO OR/M 
(disp-Io),(disp-hi) 
FILD 
short-integer 
DB 
1101 
1011 
MODOO lR/M 
(disp-Io),(disp-hi) 
reserved 


DB 
1101 
1011 
MODOl 
OR/M 
(disp-Io),(disp-hi) 
FIST 
short-integer 
DB 
1101 
1011 
MODOl 
lR/M 
(disp-Io),(disp-hi) 
FISTP 
Short-integer 
DB 
1101 
1011 
MOD10 
OR/M 
(disp-Io),(disp-hi) 
reserved 


DB 
1101 
1011 
MOD10 
lR/M 
(disp-Io),(disp-hi) 
FLD 
temp-real 


DB 
1101 
1011 
MODll 
OR/M 
(disp-Io),(disp-hi) 
reserved 


DB 
1101 
1011 
/ 
MODll 
lR/M 
(disp-Io ),(disp-hi) 
FSTP 
temp-real 


DB 
1101 
1011 
110- 
---- 
reserved 


DB 
1101 
1011 
1110 
0000 
reserved 
(8087 FENI) 


DB 
1101 
1011 
1110 
0001 
reserved 
(8087 FDISI) 
DB 
1101 
1011 
1110 
0010 
FCLEX 


DB 
1101 
1011 
1110 
0011 
FINIT 


DB 
1101 
1011 
1110 
0100 
FSETPM 


DB 
1101 
1011 
1110 
1--- 
reserved 


DB 
1101 
1011 
1111 
---- 
reserved 


DC 
1101 
1100 
MODOO OR/M 
(disp-Io),(disp-hi) 
FADD 
long-real 


DC 
1101 
1100 
MODOO lR/M 
(disp-Io),(disp-hi) 
FMUL 
long-real 


DC 
1101 
1100 
MODOl 
OR/M 
(disp-Io),(disp-hi) 
FCOM 
long-real 


DC 
1101 
1100 
MODOl 
lR/M 
(disp-Io),(disp-hi) 
FCOMP 
long-real 


DC 
1101 
1100 
MOD10 
OR/M 
(disp-Io),(disp-hi) 
FSUB 
long-real 


DC 
1101 
1100 
MOD10 
lR/M 
(disp-Io),(disp-hi) 
FSUBR 
long-real 


DC 
1101 
1100 
MODll 
OR/M 
(disp-Io),(disp-hi) 
FDIV 
long-real 
DC 
1101 
1100 
MODll 
lR/M 
(disp-Io),(disp-hi) 
FDIVR 
long-real 


DC 
1101 
1100 
1100 
OREG 
FADD 
ST(i),ST 


DC 
1101 
1100 
1100 
lREG 
FMUL 
ST(i),ST 


DC 
1101 
1100 
1101 
OREG 
*(2) 


· . - 
* The marked encoolngs 
are nor generaleu 
uy lilt::: 1i::tIIYUdY~ 
u QII;:)IQlUI~. 
II, 
IIV •.•.~'oJt, 
'" I•••••••••••••••.•.• 


one of these encodings 
in the instruction 
stream, 
it will execute 
it as follows: 


(1) FSTP 
ST(i) 


(2) FCOM 
ST(i) 


(3) FCOMP 
ST(i) 


(4) FXCH 
ST(i) 


(5) FCOMP 
ST(i) 


(6) FFREE 
ST(i) and pop stack 


(7) FXCH 
ST(i) 


(8) FSTP 
ST(i) 


(9) FSTP 
ST(i) 


• 
I<Jl) 
• 


001 = next on stack 
010 = third stack element. 
etc. 


Table A-2 lists all 80287 machine 
instructions 
in binary sequence. 
This table may be used to "disassem- 


ble" instructions 
in unformatted 
memory 
dumps 
or instructions 
monitored 
from the data 
bus. Users 


writing exception 
handlers 
may also find this information 
useful to identify 
the offending 
instruction. 


1st Byte 


2nd Byte 
Bytes 3, 4 
ASM286 
Instruction 


Hex 
Binary 
Format 


D8 
1101 
1000 
MODOO ORjM 
(disp-Io),(disp-hi) 
FADD 
short-real 


D8 
1101 
1000 
MODOO 1RjM 
(disp-Io),(disp-hi) 
FMUL 
short-real 


D8 
1101 
1000 
MOD01 
ORjM 
(disp-Io),(disp-hi) 
FCOM 
short-real 


D8 
1101 
1000 
MOD01 
1RjM 
(disp-Io),(disp-hi) 
FCOMP 
short-real 


D8 
1101 
1000 
MOD10 
ORjM 
(disp-Io),(disp-hi) 
FSUB 
short-real 


D8 
1101 
1000 
MOD10 
1RjM 
(disp-Io),(disp-hi) 
FSUBR 
short-real 


D8 
1101 
1000 
MOD11 
ORjM 
(disp-Io),(disp-hi) 
FDIV 
short-real 


D8 
1101 
1000 
MOD11 
1RjM 
(disp-Io),(disp-hi) 
FDIVR 
short-real 


D8 
1101 
1000 
1100 
OREG 
FADD 
ST,ST(i) 


D8 
1101 
1000 
1100 
1REG 
FMUL 
ST,ST(i) 


D8 
1101 
1000 
1101 
OREG 
FCOM 
ST(i) 


D8 
1101 
1000 
1101 
1REG 
FCOMP 
ST(i) 


D8 
1101 
1000 
1110 
OREG 
FSUB 
ST,ST(i) 


D8 
1101 
1000 
1110 
1REG 
FSUBR 
ST,ST(i) 


D8 
1101 
1000 
1111 
OREG 
FDIV 
ST,ST(i) 


D8 
1101 
1000 
1111 
1REG 
FDIVR 
ST,ST(i) 


D9 
1101 
1001 
MODOO ORjM 
(disp-Io),(disp-hi) 
FLD 
short-real 


D9 
1101 
1001 
MODOO 1R/M 
reserved 


D9 
1101 
1001 
MOD01 
ORjM 
(disp-Io),(disp-hi) 
FST 
short-real 
D9 
1101 
1001 
MOD01 
1RjM 
(disp-Io),(disp-hi) 
FSTP 
short-real 


D9 
1101 
1001 
MOD10 
ORjM 
(disp-Io),(disp-hi) 
FLDENV 
14-bytes 


D9 
1101 
1001 
MOD10 
1RjM 
(disp-Io),(disp-hi) 
FLDCW 
2-bytes 


D9 
1101 
1001 
MOD11 
ORjM 
(disp-Io),(disp-hi) 
FSTENV 
14-bytes 


D9 
1101 
1001 
MOD11 
1RjM 
(disp-Io),(disp-hi) 
FSTCW 
2-bytes 


D9 
1101 
1001 
1100 
OREG 
FLD 
ST(i) 


D9 
1101 
1001 
1100 
1REG 
FXCH 
ST(i) 


D9 
1101 
1001 
1101 
0000 
FNOP 


D9 
1101 
1001 
1101 
0001 
reserved 


D9 
1101 
1001 
1101 
001- 
reserved 


D9 
1101 
1001 
1101 
01-- 
reserved 


D9 
1101 
1001 
1101 
1REG 
*(1) 


D9 
1101 
1001 
1110 
0000 
FCHS 


D9 
1101 
1001 
1110 
0001 
FABS 


D9 
1101 
1001 
1110 
001- 
reserved 


D9 
1101 
1001 
1110 
0100 
FTST 


D9 
1101 
1001 
1110 
0101 
FXAM 


D9 
1101 
1001 
1110 
011- 
reserved 


D9 
1101 
1001 
1110 
1000 
FLD1 


D9 
1101 
1001 
1110 
1001 
FLDL2T 


D9 
1101 
1001 
1110 
1010 
FLDL2E 


D9 
1101 
1001 
1110 
1011 
FLDPI 


D9 
1101 
1001 
1110 
1100 
FLDLG2 
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APPENDIX 
B 
COMPATIBILITY 
BETWEEN 
THE 
80287 
NPX AND THE 
8087 


The iAPX 286/20 
operating 
in Real-Address 
mode will execute 
iAPX 
86/20 
programs 
without 
major 
modification. 
However, 
because 
of differences 
in the handling 
of numeric 
exceptions 
by the 80287 
NPX and the 8087 NPX, 
exception-handling 
routines may need to be changed. 


This appendix 
summarizes 
the differences 
between 
the 80287 NPX 
and the 8087 NPX, 
and provides 
details 
showing how iAPX 
86/20 
programs 
can be ported 
to the iAPX 286/20. 


I. 
The NPX 
signals 
exceptions 
through 
a dedicated 
ERROR 
line to the 
80286. 
The 
NPX 
error 


signal does not pass through 
an interrupt 
controller 
(the 8087 INT 
signal does). Therefore, 
any 
interrupt-controller-oriented 
instructions 
in numeric 
exception 
handlers 
for the iAPX 86/20 
should 
be deleted. 


2. 
The 8087 instructions 
FENI/FNENI 
and FDISI/FNDISI 
perform no useful function in the 80287. 


If the 80287 encounters 
one of these opcodes 
in its instruction 
stream, 
the instruction 
will effec- 


tively be ignored-none 
of the 80287 
internal 
states 
will be updated. 
While 
iAPX 
86/20 
code 


containing 
these instructions 
may be executed 
on the iAPX 
286/20, 
it is unlikely 
that the excep- 
tion-handling 
routines 
containing 
these instructions 
will be completely 
portable 
to the 80287. 


3. 
Interrupt 
vector 
16 must point to the numeric 
exception 
handling 
routine. 


4. 
The ESC 
instruction 
address 
saved 
in the 80287 
includes 
any leading 
prefixes 
before 
the ESC 


opcode. The corresponding 
address 
saved in the 8087 does not include 
leading 
prefixes. 


5. 
In Protected-Address 
mode, the format 
of the 80287's 
saved instruction 
and address 
pointers 
is 
different 
than 
for the 8087. The instruction 
opcode 
is not saved 
in Protected 
mode-exception 
handlers 
will have to retrieve 
the opcode from memory 
if needed. 


6. 
Interrupt 
7 will occur in the 80286 when executing 
ESC instructions 
with either TS (task switched) 
or EM (emulation) 
of the 80286 MSW 
set (TS= 
I or EM= 
I). If TS is set, then a WAIT 
instruc- 


tion will also cause interrupt 
7. An exception 
handler 
should be included 
in iAPX 286/20 
code to 
handle 
these situations. 


7. 
Interrupt 
9 will occur if the second or subsequent 
words of a floating-point 
operand 
fall outside 
a 
segment's 
size. Interrupt 
13 will occur if the starting 
address 
of a numeric 
operand 
falls outside 
a 
segment's 
size. An exception 
handler 
should 
be included 
in iAPX 
286/20 
code to report 
these 
programming 
errors. 


8. 
Except 
for the processor 
control 
instructions, 
all of the 80287 numeric 
instructions 
are automati- 
cally synchronized 
by the 80286 CPU-the 
80286 automatically 
tests the BUSY 
line from the 
80287 to ensure 
that 
the 80287 has completed 
its previous 
instruction 
before 
executing 
the next 
ESC 
instruction. 
No explicit 
WAIT 
instructions 
are required 
to assure 
this synchronization. 
For 
the 8087 used with iAPX 
86 and iAPX 
88 processors, 
explicit 
WAITs 
are required 
before 
each 


numeric 
instruction 
to ensure 
synchronization. 
Although 
iAPX 
86/20 
programs 
having 
explicit 


WAIT 
instructions 
will execute 
perfectly 
on the iAPX 
286/20 
without 
reassembly, 
these WAIT 


instructions 
are unnecessary. 


9. 
Since the 80287 does not require WAIT 
instructions 
before each numeric 
instruction, 
the ASM286 
assembler 
does 
not automatically 
generate 
these 
WAIT 
instructions. 
The 
ASM86 
assembler, 


however, automatically 
precedes every ESC instruction 
with aWAIT 
instruction. 
Although 
numeric 
routines 
generated 
using the ASM86 
assembler 
will generally 
execute 
correctly 
on the iAPX 286/ 
20, reassembly 
using ASM286 
may result in a more compact 
code image. 


The processor 
control instructions 
for the 80287 may be coded using either a WAIT 
or No-WAIT 
form of mnemonic. 
The WAIT 
forms of these instructions 
cause 
ASM286 
to precede 
the ESC 
instruction 
with a CPU WAIT 
instruction, 
in the identical 
manner 
as does ASM86. 
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APPENDIX 
C 
IMPLEMENTING 
THE 
IEEE P754 
STANDARD 


The iAPX 286/20 computing system, containing the 80287 NPX and standard support library software, 
provides an implementation of the IEEE "A Proposed Standard for Binary Floating-Point Arithmetic," 
Draft 10.0, Task P754, of December 2,1982. The 80287 Support Library, described in 80287 Support 
Library Reference Manual, Order Number 122129, is an example of such a support library. 


This appendix describes the relationship between the 80287 NPX and the IEEE Standard. Where the 
Standard has options, Intel's choices in implementing the 80287 are described. Where portions of the 
Standard are implemented through software, this appendix indicates which modules of the 80287 
Support Library implement the Standard. Where special software in addition to the Support Library 
may be required by your application, this appendix indicates how to write this software. 


This appendix contains many terms with precise technical meanings, specified in the 754 Standard. 
Where these terms are used, they have been capitalized to emphasize the precision of their meanings. 
The Glossary provides the definitions for all capitalized phrases in this appendix. 


The 80287 SHORT_REAL 
and LONG_REAL 
formats conform precisely to the Standard's Single 
and Double Floating-Point Numbers, respectively. The 80287 TEMP_REAL format is the same as the 
Standard's Double Extended format. The Standard allows a choice of Bias in representing the exponent; 
the 80287 uses the Bias 16383 decimal. 


For the Double Extended format, the Standard contains an option for the meaning of the minimum 
exponent combined with a nonzero significand. The Bias for this special case can be either 16383, as 
in all the other cases, or 16382, making the smallest exponent equivalent to the second-smallest exponent. 
The 80287 uses the Bias 16382 for this case. This allows the 80287 to distinguish between Denormal 
numbers (integer part is zero, fraction is nonzero, Biased exponent is 0) and Unnormal numbers of the 
same value (same as the denormal except the Biased Exponent is 1). 


The Standard allows flexibility in specifying which NaNs are trapping and which are nontrapping. The 
EH287.LIB module of the 80287 Support Library provides a software implementation of nontrapping 
NaNs, and defines one distinction between trapping and nontrapping NaNs: If the most significant bit 
of the fractional part of a NaN is I, the NaN is nontrapping. If it is 0, the NaN is trapping. 


When a masked Invalid Operation error involves two NaN inputs, the Standard allows flexibility in 
choosing which NaN is output. The 80287 selects the NaN whose absolute value is greatest. 


There are five areas of the Standard that are not implemented directly in the 80287 hardware; these 
areas are instead implemented in software as part of the 80287 Support Library. 


I. 
The Standard requires that a Normalizing Mode be provided, in which any nonnormal operands 
to functions are automatically normalized before the function is performed. The NPX provides a 
"Denormal operand" exception for this case, allowing the exception handler the opportunity to 
perform the normalization specified by the Standard. The Denormal operand exception handler 
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N> 
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UUUUIt: 
DXltmUeaoperanas ISImplemented in 
EH287.LIB with one non-Standard feature, discussed in the next section. 


2. 
The Standard specifies that in comparing two operands whose relationship is "unordered," 
the 
equality test yield an answer of FALSE, with no errors or exceptions. The 80287 FCOM and 
FTST instructions themselves issue an Invalid Operation exception in this case. The error handler 
EH287.LIB filters out this Invalid Operation error using the following convention: Whenever an 
FCOM or FTST instruction is followed by a MOY AX,AX instruction (8BCO Hex), and neither 
argument is a trapping NaN, the error handler will assume that a Standard equality comparison 
was intended, and return the correct answer with the Invalid Operation exception flag erased. 
Note that the Invalid Operation exception must be unmasked for this action to occur. 


3. 
The Standard requires that two kinds of NaN's be provided: trapping and nontrapping. Nontrap- 
ping NaNs will not cause further Invalid Operation errors when they occur as operands to calcu- 
lations. The NPX hardware directly supports only trapping NaN's; the EH287.LIB software 
implements nontrapping NaNs by returning the correct answer with the Invalid Operation excep- 
tion flag erased. Note that the Invalid Operation exception must be unmasked for this action to 
occur. 


4. 
The Standard requires that all functions that convert real numbers to integer formats automati- 
cally normalize the inputs if necessary. The integer conversion functions contained in CEL287.LIB 
fully meet the Standard in this respect; the 80287 FIST instruction alone does not perform this 
normalization. 


5. 
The Standard specifies the remainder function which is provided by mqerRMD in CEL287.LIB. 
The 80287 FPREM instruction returns answers within a different range. 


There are two cases in which additional software is required in conjunction with the 80287 Support 
Library in order to meet the standard. The 80287 Support Library does not provide this software in 
the interest of saving space and because the vast majority of applications will never encounter these 
cases. 


1. 
When the Invalid Operation exception is masked, Nontrapping NaNs are not implemented fully. 
Likewise, the Standard's 
equality test for "unordered" 
operands is not implemented when the 


Invalid Operation exception is masked. Programmers can simulate the Standard notion of a masked 
Invalid Operation exception by unmasking the 80287 Invalid Operation exception, and providing 
an Invalid Operation exception handler that supports nontrapping NaNs and the equality test, but 
otherwise acts just as if the Invalid Operation exception were masked. The 80287 Support Library 
Reference Manual 
contains examples for programming this handler in both ASM286 
and 
PL/M-286. 
2. 
In Normalizing Mode, Denormal operands in the TEMP_REAL 
format are converted to 0 by 
EH287.LIB, giving sharp Underflow to O.The Standard specifies that the operation be performed 
on the real numbers represented by the denormals, giving gradual underflow. To correctly perform 
such arithmetic while in Normalizing Mode, programmers would have to normalize the operands 
into a format identical to TEMP_REAL 
except for two extra exponent bits, then perform the 
operation on those numbers. Thus, software must be written to handle the 17-bitexponent explicitly. 


In designing the EH287.LIB, it was felt that it would be a disadvantage to most users to increase the 
size of the Normalizing routine by the amount necessary to provide this expanded arithmetic. Because 
the TEMP_REAL 
exponent field is so much larger than the LONG_REAL 
exponent field, it is 


extremely unlikely that TEMP_REAL underflow will be encountered in most applications. 


inter 


If meeting 
the Standard 
is a more important 
criterion 
for your application 
than 
the choice 
between 
Normalizing 
and warning 
modes, 
then you can select 
warning 
mode (Denormal 
operand 
exceptions 
masked), 
which fully meets the Standard. 


If you do wish to implement 
the Normalization 
of denormal 
operands 
in TEMP_REAL 
format 
using 
extra 
exponent 
bits, the list below indicates 
some useful 
pointers 
about 
handling 
Denormal 
operand 
exceptions: 


1. 
TEMP_REAL 
numbers 
are considered 
Denormal 
by the NPX 
whenever 
the Biased 
Exponent 
is 
o (minimum 
exponent). 
This is true even if the explicit 
integer 
bit of the significand 
is I. Such 
numbers 
can occur as the result of Underflow. 


2. 
The 80287 
FLD 
instruction 
can cause 
a Denormal 
Operand 
error 
if a number 
is being 
loaded 
from memory. 
It will not cause this exception 
if the number 
is being loaded from elsewhere 
in the 
80287 stack. 


3. 
The 80287 FCOM 
and FTST instructions 
will cause a Denormal 
Operand 
exception 
for unnormal 
operands 
as well as for denormal 
operands. 


4. 
In cases where both the Denormal 
Operand 
and Invalid Operation 
exceptions 
occur, you will want 
to know which is signalled 
first. When 
a comparison 
instruction 
operates 
between 
a nonexistent 
stack element 
and a denormal 
number 
in 80286 memory, 
the D and I exceptions 
are issued simul- 
taneously 
In all other situations, 
a Denormal 
Operand 
exception 
takes precedence 
over a nonstack 
Invalid 
operation 
exception, 
while a stack 
Invalid 
Operation 
exception 
takes 
precedence 
over a 
Denormal 
Operand 
exception. 


Appendix 
D 


80287 8o-Bit HMOS 
Numeric Processor 
Extension 


SO-Bit HMOS 
NUMERIC PROCESSOR EXTENSION 
80287-3 


• 
High Performance 
80-Blt 
Internal 


Architecture 


• 
Implements 
Proposed 
IEEE Floating 


Point Standard 
754 


• 
Expands 
IAPX 286/10 Datatypes 
to 


Include 
32-, 64-, 80-Blt 
Floating 
Point, 


32-, 64-Blt 
Integers 
and 18-Dlglt 
BCD 


Operands 


• 
Object 
Code Compatible 
with 8087 


• 
Built-In 
Exception 
Handling 


• 
Operates 
In Both Real and Protected 


Mode IAPX 286 Systems 


• 
Protected 
Mode Operation 
Completely 
Conforms 
to the IAPX 286 Memory 
Management 
and Protection 
Mechanisms 


• 
Directly 
Extends 
IAPX 286/10 Instruction 
Set to Trigonometric, 
Logarithmic, 
Exponential 
and Arithmetic 
Instructions 
for All Datatypes 


• 
8x80-Blt, 
Individually 
Addressable, 
Numeric 
Register 
Stack 


• 
Available 
In EXPRESS-Standard 
Temperature 
Range 


The 
Inte~ 
80287 
is a high 
performance 
numerics 
processor 
extension 
that 
extends 
the 
iAPX 
286/10 
architecture 
with floating 
point, extended 
integer 
and BCD data types. The iAPX 286/20 computing 
system 
(80286 
with 
80287) 
fully 
conforms 
to the 
proposed 
IEEE Floating 
Point 
Standard. 
Using 
a numerics 
oriented 
architecture. 
the 80287 adds over fifty 
mnemonics 
to the iAPX 286/20 instruction 
set, making 
the 
iAPX 286/20 a complete 
solution 
for high performance 
numeric 
processing. 
The 80287 is implemented 
in 
N-channel. 
depletion 
load, silicon 
gate technology 
(HMOS) 
and packaged 
in a 40-pin 
ceramic 
package. 


The iAPX 286/20 is object 
code 
compatible 
with 
the iAPX 86/20 and iAPX 88/20. 
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Symbols 
Type 
Name 
and Function 


ClK 
I 
Clock 
input: 
this clock 
provides 
the basic timing 
for internal 
80287 opera- 


tions. 
Special 
MOS 
level 
inputs 
are required. 
The 82284 
or 8284A 
ClK 


outputs 
are compatible 
to this input. 


CKM 
I 
Clock 
Mode 
signal: 
indicates 
whether 
ClK 
input 
is to be divided 
by 3 or 


used directly. 
A HIGH input will cause 
ClK 
to be used directly. 
This input 


may be connected 
to Vcc or Vss as appropriate. 
This input must be either 


HIGH or LOW 20 CLK cycles before RESET goes Law. 


RESET 
I 
System 
Reset: 
causes the 80287 to immediately 
terminate 
its present 
ac- 


tivity and enter a dormant 
state. RESET is required 
to be HIGH for more than 


480287 
ClK 
cycles. For proper 
initialization 
the HIGH-lOW 
transition 
must 


occur 
no sooner 
than 50 J.Ls after 
Vcc 
and ClK 
meet their 
D.C. and A.C. 


specifications. 


015-00 
I/O 
Data: 
16-bit 
bidirectional 
data bus. Inputs 
to these 
pins 
may be applied 


asynchronous 
to the 80287 clock. 


BUSY 
0 
Busy status: 
asserted 
by the 80287 to indicate 
that it is currently 
executing 


a command. 


ERROR 
0 
Error 
status: 
reflects 
the ES bit of the status 
word. 
This signal 
indicates 


that an unmasked 
error 
condition 
exists. 


PEREa 
0 
Processor 
Extension 
Data Channel 
operand 
transfer 
request: 
a HIGH on 


this output 
indicates 
that the 80287 is ready to transfer 
data. PEREa 
will be 


disabled 
upon assertion 
of PEACK or upon actual 
data transfer, 
whichever 


occurs 
first, 
if no more transfers 
are required. 


PEACK 
I 
Processor 
Extension 
Data Channel 
operand 
transfer 
ACKnowledge: 
ack- 


nowledges 
that 
the 
request 
signal 
(PEREa) 
has been 
recognized. 
Will 


cause 
the 
request 
(PEREa) 
to be withdrawn 
in case there 
are no more 


transfers 
required. 
PEACK may be asynchronous 
to the 80287 clock. 


NPRD 
I 
Numeric 
Processor 
Read: 
Enables 
transfer 
of data from 
the 80287. 
This 


input 
may be asynchronous 
to the 80287 clock. 


NPWR 
I 
Numeric 
Processor 
Write: 
Enables 
transfer 
of data to the 80287. This input 


may be asynchronous 
to the 80287 clock. 


NPS1, NPS2 
I 
Numeric Processor Selects: indicate the CPU is performing 
an ESCAPE instruc- 


tion. Concurrent 
assertion 
of these signals 
(i.e., I'JI5ST is LOW and NPS2 is 


HIGH) enables the 80287 to perform floating point instructions. 
No data trans- 


fers involving 
the 80287 
will occur 
unless 
the device 
is selected 
via these 


lines. These inputs may be asynchronous 
to the 80287 clock. 


CMD1, CMDO 
I 
Command 
lines: These, along with select inputs, allow the CPU to direct 
the 


operation 
of the 80287. 


These 
inputs 
may be asynchronous 
to the 80287 clock. 


Symbols 
Type 
Name and Function 


ClK286 
I 
CPU Clock: This input provides a sampling edge for the 80287 inputs S1, SO, 
COD/INTA, READY, and HlDA. It must be connected 
to the 80286 ClK input. 


S1, SO_ 
I 
Status: These inputs must be connected 
to the corresponding 
80286 pins. 


COD/INTA 


HlDA 
I 
Hold Acknowledge: 
This input informs the 80287 when the 80286 controls 


the local bus. It must be connected 
to the 80286 HlDA 
output. 


READY 
I 
Ready: The end of a bus cycle is signaled by this input. It must be connected 
to the 80286 READY input. 


VSS 
I 
System ground, 
both pins must be connected 
to ground. 


VCC 
I 
+5V supply 


The 80287 Numeric 
Processor 
Extension 
(NPX) 


provides 
arithmetic 
instructions 
for a variety 
of 


numeric data types in iAPX 286/20 systems. It also 
executes 
numerous 
built-in 
transcendental 
func- 


tions (e.g., tangent 
and log functions). 
The 80287 


executes 
instructions 
in parallel 
with 
a 80286. It 


effectively 
extends the register and instruction 
set 


of an iAPX 286/10 system for existing 
iAPX 286 
data types and adds several new data types as well. 
Figure 
3 presents 
the 
program 
visible 
register 
model of the iAPX 286/20. Essentially, the 80287 
can be treated 
as an additional 
resource 
or an 


extension to the iAPX 286/10 that can be used as a 
single unified 
system, the iAPX 286/20. 


80287 
STACK: 


78 
64 
63 


EXPONENT 


80286 


lS 
FILE: 
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BX 


CX 


OX 
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CONTROL 
REGISTER 


STATUS 
REGISTER 


TAG WORD 


__ INSTRUCTION 
POINTER 
_ 
- 
DATA 
POINTER 
- 


inter 


The 80287 has two operating 
modes similar 
to the 


two modes 
of the 80286. When 
reset, 80287 is in 


the 
real address 
mode. 
It can 
be placed 
in the 


protected 
virtual 
address 
mode 
by executing 
the 


SETPM 
ESC 
instruction. 
The 
80287 
cannot 
be 


switched 
back to the real address 
mode except 
by 


reset. In the real address 
mode, the iAPX 286/20 is 


completely 
software 
compatible 
with 
iAPX 86/20, 
88/20. 


Once in protected 
mode, all references 
to memory 


for numerics 
data or status 
information, 
obey the 


iAPX 
286 
memory 
management 
and 
protection 


rules 
giving 
a fUlly 
protected 
extension 
of 
the 


80286 
CPU. In the 
protected 
mode, 
iAPX 286/20 


numerics 
software 
is also completely 
compatible 


with 
iAPX 86/20 and iAPX 88/20. 


SYSTEM CONFIGURATION 


As a processor 
extension 
to an 80286, the 80287 


can be connected 
to the CPU as shown 
in Figure 4. 
The 
data 
channel 
control 
signals 
(PEREQ, 
PEACK), 
the BUSY signal 
and the NPRD, NPWR 


signals, 
allow the NPX to receive 
instructions 
and 


data from the CPU. When in the protected 
mode, all 


information 
received 
by the NPX is validated 
by the 


80286 memory 
management 
and protection 
unit. 


Once 
started, 
the 
80287 
can 
process 
in parallel 


with 
and independent 
of the host CPU. When the 


NPX detects 
an error 
or exception, 
it will 
indicate 


this to the CPU by asserting 
the ERROR signal. 


The NPX uses the processor 
extension 
request 
and 


acknowledge 
pins of the 80286 CPU to implement 


data transfers 
with 
memory 
under 
the protection 


model 
of the 
CPU. The 
full 
virtual 
and 
physical 


address 
space 
of the 80286 is available. 
Data for 


the 80287 in memory 
is addressed 
and represented 


in the same manner 
as for an 8087. 


The 80287 can operate either directly 
from the CPU 


clock or with a dedicated 
clock. 
For operation 
with 


the CPU clock 
(CKM=O), 
the 80287 works 
at one- 


third the frequency 
of the system clock 
(i.e., for an 


8 MHz 80286, the 16 MHz system 
clock 
is divided 


down to 5.3 MHz). The 80287 provides 
a capability 


to internally 
divide 
the CPU clock 
by three to pro- 


duce the required 
internal 
clock 
(33% duty cycle). 


To use a higher 
performance 
80287 (8 MHz), an 


8284A clock 
driver and appropriate 
crystal 
may be 


used 
to directly 
drive 
the 80287 
with 
a 1/3 duty 


cycle 
clock 
on the ClK 
input 
(CKM = 1). 


HARDWARE 
INTERFACE 


Communication 
of instructions 
and data operands 
between 
the 80286 
and 80287 
is handled 
by the 
CMDO, CMD1, JiJPST,NPS2, 1iJl5RI:i,and f\JJ5WRsig- 
nals. I/O port addresses 
00F8H, OOFAH,and OOFCH 
are used by the 80286 for this communication. 
When 
any of these 
addresses 
are used, the JiJPST input 
must be lOW and NPS2 input HIGH. The IORC and 
IOWC outputs of the 82288 identify I/O space trans- 
fers (see Figure 4). CMDO should 
be connected 
to 
latched 80286 A1 and CMD1 should be connected 
to 
latched 
80286 
A2. The ST, SO, COD/JmA,REAO?, 


HlDA, 
and ClK 
pins of the 80286 are connected 
to 
the same named pins on the 80287. 


I/O ports 
00F8H 
to 
OOFFH are 
reserved 
for 
the 
80286/80287 
interface. 
To guarantee 
correct 
oper- 


ation of the 80287, programs 
must not perform 
any 
1/0 operations 
to these 
ports. 


The PEREQ, PEACK, BUSY, and ERROR signals 
of 


the 80287 are connected 
to the same-named 
80286 
input. The data pins of the 80287 should 
be directly 
connected 
to the 80286 data bus. Note that all bus 
drivers 
connected 
to the 80286 local bus must be 
inhibited 
when 
the 
80286 
reads 
from 
the 
80287. 


The 
use of COD/INTA 
and 
M/iO 
in the 
decoder 


prevents 
INTA bus cycles 
from 
disabling 
the data 
transceivers. 


PROGRAMMING 
INTERFACE 


Table 2 lists the seven data types 
the 80287 sup- 


ports and presents 
the format 
for each type. These 
values are stored 
in memory 
with the least signifi- 


cant 
digits 
at the 
lowest 
memory 
address. 
Pro- 
grams 
retrieve 
these 
values 
by generating 
the 
lowest 
address. 
All 
values 
should 
start 
at even 


addresses 
for maximum 
system 
performance. 


Internally 
the 80287 holds all numbers 
in the tem- 


porary 
real 
format. 
load 
instructions 
automati- 
cally convert 
operands 
represented 
in memory 
as 


16-, 32-, or 64-bit 
integers, 
32- or 64-bit 
floating 


point 
number 
or 18-digit 
packed 
BCD 
numbers 
into temporary 
real format. 
Store instructions 
per- 
form the reverse 
type 
conversion. 


80287 computations 
use the 
processor's 
register 


stack. 
These 
eight 
80-bit 
registers 
provide 
the 


eq uivalent 
capacity 
of 
40 
16-bit 
registers. 
The 


80287 register 
set can be accessed 
as a stack, with 


inter 


RESET 


READY 


82284 
ClK I-- 


511-- 


Sol---< 


READY 


ClK 
51 


So 


MIlO 


DT/R 


ALE 
IORC 


RESET 


READY 


ClK 


80286 
0,,-00 -- 


"'cr"''''IT''' "'IT 


-_ 
ccc 
c(c(c(c(c(c( 


\ 
~1 
H 


A2 Al AO El I 
E2 
8205 
f-- 
E3 
0, 


I 


MIlO 


f- 
ERROR 
PEREQ f- 


~ 
BUSY 
PEACK 
~ 
COD/INTA HlDA 


CODIINTA HlDA 
RESET 
PEACK- 


READY 
PEREQ- 


ClK286 


51 
0,,-00 
-DATA 
So 
80287 


NPS2 -Vcc 


NPSl 


CMDl 


CMDO 
CKM 


NPWR 


- 
ERROR 


- 
BUSY 
ClK 


~ 
OE 
T 
8286 
OR 
8287 
L.....- 


Most Significant 
Byte 
HIGHEST 
ADDRESSED 
BYTE 
Data 
Range 
Precision 
017 
017 
017 
017 
017 
017 
017 
017 
017 
o I 
Formats 
7 


Word 
Integer 
104 
16 Bits 
.1 
I (TWO'S 
S MAGNITUDE 
COMPLEMENT) 


15 
0 


I 


Short 
Integer 
109 
32 
Bits 
SI 
MAGNITUDE 
IITWO'S 
COMPLEMENT) 


31 
0 


Long 
Integer 
1019 
64 
Bits 
SI 
MAGNITUDE 
IITWO'S 
COMPLEMENT) 


63 
0 


1018 
SI 
x Id\7 


MAGNITUDE 


doI 
Packed 
BCD 
18 Digits 
d1tl 
d15 
I dill 
d13 I d12 
dl1 
dlUI 
dg 
d, 
d, 
d. 
d~ I dJ 
dj 
• dJ 
I d1 


79 
72 
0 


Short 
Real 
10±38 
24 
Bits 
;1 
BIASED 
1 
SIGNIFICAND I 
S EXPONENT 


31 
23'-- 
I' 
0 


Long 
Real 
10±308 
53 
Bits 
sl 
BIASED 
I 
SIGNIFICAND 
I 
EXPONENT 


63 
52~ 
0 
I, 


Temporary 
Real 
10±4932 
64 
Bits 
sl 
BIASED 
~ 
SIGNIFICAND 
I 
EXPONENT 


79 
64 63' 
0 


NOTES: 
(1) S = Sign bit (0 = positive, 
1 = negative) 
(2) dn = Decimal digit (two per byte) 


(3) X = Bits have no significance; 
8087 ignores 
when load- 


ing, zeros when storing. 
(4) ,= Position of implicit 
binary point 


(5) I = Integer 
bit of significand; 
stored 
in temporary 
real, 
implicit 
in short and long real 


instructions 
operating 
on the 
top 
one 
or two 
stack 


elements, 
or 
as a fixed 
register 
set, 
with 
instruc- 
tions 
operating 
on explicitly 
designated 
registers. 


Table 
6 lists 
the 
80287'5 
instructions 
by class. 
No 


special 
programming 
tools 
are 
necessary 
to 
use 


the 
80287 
since 
all new 
instructions 
and 
data 
types 


are 
directly 
supported 
by the 
iAPX 
286 
assembler 


(6) Exponent 
Bias (normalized 
values): 


Short Real: 127 (7FH) 
Long Real: 1023 (3FFH) 
Temporary 
Real: 16383 (3FFFH) 


(7) Packed BCD: (-1)5(017" 
.00) 


(8) Real: (_1)s(2E-BIASHFo Fl"') 


and 
appropriate 
high 
level 
languages. 
All 
iAPX 


86/88 
development 
tools 
which 
support 
the 
8087 


can 
also 
be used 
to develop 
software 
for 
the 
iAPX 


286/20 
in 
real 
address 
mode. 


Table 
3 gives 
the 
execution 
times 
of 
some 
typical 
numeric 
instructions. 


inter 


Approximate 
Execution 
Time (/LI) 


Floating 
Point Instruction 
80287 
(5 MHz Operation) 


Add/Subtract 
14/18 


Multiply 
(single 
precision) 
19 


Multiply 
(extended 
precision) 
27 


Divide 


--;- 
39 
. 


Compare 
. 
. 
9 


Load (double 
precision) 
10 


Store (double 
precision) 
j 
. 
21 


Square 
Root 
, 
36 


Tangent 
. 
- 
90 
. 


Exponentiation 
100 


SOFTWARE 
INTERFACE 


The iAPX 286/20 is programmed 
as a single 
pro- 


cessor. All communication 
between 
the 80286 and 


the 80287 is transparent 
to software. 
The CPU au- 


tomatically 
controls 
the 80287 whenever 
a numeric 


instruction 
is executed. 
All 
memory 
addressing 


modes, 
physical 
memory, 
and virtual 
memory 
of 


the CPU are available 
for use by the NPX. 


Since 
the NPX operates 
in parallel 
with 
the CPU, 
any errors 
detected 
by the NPX may be reported 


after 
the CPU has executed 
the ESCAPE 
instruc- 


tion which 
caused 
it. To allow 
identification 
of the 


failing 
numeric 
instruction, 
the NPX contains 
two 


pointer 
registers 
which 
identify 
the address 
of the 


failing 
numeric 
instruction 
and 
the 
numeric 


memory 
operand 
if appropriate 
for the instruction 


encountering 
this error. 


INTERRUPT 
DESCRIPTION 


Several 
interrupts 
of the 
iAPX 
286 are 
used 
to 


report 
exceptional 
conditions 
while 
executing 


numeric 
programs 
in either 
real 
or 
protected 


mode. 
The 
interrupts 
and 
their 
functions 
are 


shown 
in Table 4. 


PROCESSOR 
ARCHITECTURE 


As shown 
in Figure 
1. the NPX is internally 
divided 


into 
two 
processing 
elements, 
the 
bus interface 


unit (BIU) and the numeric 
execution 
unit (NEU). 


The NEU executes 
all numeric 
instructions, 
while 


the 
BIU 
receives 
and 
decodes 
instructions, 
re- 


quests operand 
transfers 
to and from memory 
and 


executes 
processor 
control 
instructions. 
The two 


units 
are able 
to 
operate 
independently 
of one 


another 
allowing 
the 
BIU to maintain 
asynchro- 


nous communication 
with the CPU while the NEU 


is busy processing 
a numeric 
instruction. 


BUS INTERFACE UNIT 
The BIU decodes the ESC instruction 
executed by the 


CPU. If the ESC code defines a math instruction, 
the 


BIU transmits the formatted 
instruction 
to the NEU. If 


the ESC code defines an administrative 
instruction, 


the BIU executes 
it independently 
of the NEU. The 


parallel operation of the NPX with the CPU is normally 
transparant 
to the user. The BIU generates the BlJSY 


and ~ 
signals for 80826/80287 
processor 
syn- 


chronization 
and error notification, 
respectively. 


The 80287 executes 
a single numeric 
instruction 
at 


a time. When executing 
most ESC instructions, 
the 


Interrupt 
Number 
Interrupt 
Function 


7 
An ESC instruction 
was encountered 
when 
EM or TS of the 80286 MSW was set. 


EM=1 
indicates 
that software 
emulation 
of the instruction 
is required. 
When TS is 


set, either 
an ESC or WAIT instruction 
will cause interrupt 
7. This indicates 
that the 
current 
NPX context 
may not belong 
to the current 
task. 


9 
The second 
or subsequent 
words 
of a numeric 
operand 
in memory 
exceeded 
a 


segment's 
limit. This interrupt 
occurs after executing 
an ESC instruction. 
The saved 
return address 
will not point at the numeric 
instruction 
causing 
this interrupt. 
After 


processing 
the addressing 
error, the 
iAPX 286 program 
can be restarted 
at the 
return 
address 
with 
IRET. The 
address 
of 
the 
failing 
numeric 
instruction 
and 


numeric 
operand 
are saved in the80287. 
An interrupt 
handler 
for this interrupt must 


execute 
FNINIT before any other 
ESC or WAIT instruction. 


13 
The starting 
address 
of a numeric 
operand 
is not in the segment's 
limit. The return 


address 
will point at the ESC instruction, 
including 
prefixes, 
causing 
this error. The 


80287 nas not executed 
this instruction. 
The instruction 
and data address 
in 80287 
refer to a previous, correctly 
executed, 
instruction. 


16 
The previous 
numeric 
instruction 
caused an unmasked 
numeric 
error. The address 


of the faulty 
numeric 
instruction 
or numeric 
data operand 
is stored 
in the 80287. 


Only ESC or WAIT instructions 
can cause this interrupt. 
The 80286 return 
address 
will point 
at a WAIT or ESC instruction, 
including 
prefixes, 
which 
may be restarted 


after 
clearing 
the error 
condition 
in the NPX. 


80286 tests the SOSY pin and waits until the 80287 
indicates that it is not busy before initiating the com- 
mand. Once initiated, the 80286 continues 
program 


execution while the 80287 executes the ESC instruc- 
tion. In iAPX 86/20 
systems, this synchronization 
is 


achieved by placing a WAIT instruction 
before an ESC 


instruction. For most ESC instructions, the iAPX 286/20 
does not require a WAIT instruction 
before the ESC 


opcode. 
However, the iAPX 286/20 
will operate cor- 


rectly with these WAIT instructions. 
In all cases, a WAIT 


or ESC instruction 
should be inserted after any 80287 


store to memory (except FSTSW and FSTCWj or load 
from memory (except FLDENV or FRSTOR) before the 
80286 
reads or changes 
the value to be sure the 


numeric 
value has already 
been written or read by 


the NPX. 


Data transfers 
between 
memory 
and 
the 
80287, 


when 
needed, 
are 
controlled 
by 
the 
PEREQ 


PEACK, 
NPRD, NPWR, 
NPS1, NPS2 signals. 
The 


80286 does the actual 
data transfer 
with 
memory 


through 
its 
processor 
extension 
data 
channel. 


Numeric 
data transfers 
with memory 
performed 
by 


the 80286 
use the same timing 
as any other 
bus 


cycle. Control 
signals 
for the 80287 are generated 


by the 80826 as shown 
in Figure 
4, and meet the 
timing 
requirements 
shown 
in the 
AC 
require- 


ments 
section. 


NUMERIC 
EXECUTION 
UNIT 


The NEU executes 
all instructions 
that involve the 


register stack; these include arithmetic, 
logical, tran- 
scendental, 
constant 
and data transfer 
instructions. 


The data path in the NEU is 84 bits wide (68 signifi- 
cand 
bits, 15 exponent 
bits and a sign 
bit) which 
allows internal operand transfers to be performed 
at 
very high speeds. 


When the NEU begins 
executing 
an instruction, 
it 


activates 
the BIU BUSY signal. 
This signal 
is used 
in conjunction 
with 
the CPU WAIT instruction 
or 


automatically 
with most of the ESC instructions 
to 
synchronize 
both 
processors. 


REGISTER 
SET 


The 80287 register 
set is shown 
in Figure 5. Each of 


the eight data registers 
in the 80287's 
register 
stack 


DATA FIELD 


6463 


CONTROL 
REGISTER 


STATUS 
REGISTER 


TAG WORD 


- 
INSTRUCTION 
POINTER 
- 
- 
DATA 
POINTER 
- 


is 80 bits wide 
and is divided 
into "fields" 
corre- 


sponding 
to the NPX's temporary 
real data type. 


At a given 
point 
in time the ST field 
in the status 


word 
identifies 
the current 
top-of-stack 
register. 
A 


"push" 
operation 
decrements 
ST by 1 and loads a 


value into the new top register. 
A "pop" 
operation 


stores 
the value from 
the current 
top register 
and 


then 
increments 
ST 
by 
1. Like 
80286 
stacks 
in 


memory, 
the 80287 
register 
stack 
grows 
"down" 
toward 
lower-addressed 
registers. 


Instructions 
may address 
the data registers 
either 


implicitly 
or explicitly. 
Many instructions 
operate 
on 


the 
register 
at the 
Stack 
Top. 
These 
instructions 


implicitly 
address 
the 
register 
pointed 
by the ST. 
Other instructions 
allow the programmer 
to explic- 


itly specify 
the register 
which 
is to be used. 
This 


explicit 
register 
addressing 
is also "top-relative." 


Bits 14-12 ofthe status word points to the 80287 regis- 
ter that is the current top-of-stack 
(ST) as described 


above. 
Figure 
6 shows 
the 
six error 
flags 
in bits 


5-0 of the status 
word. 
Bits 5-0 are set to indicate 


that 
the 
NEU 
has 
detected 
an exception 
while 


executing 
an instruction. 
The section 
on exception 


handling 
explains 
how they are set and used. 


The instructions 
FSTSW, FSTSW AX, FSTENV, and 


FSAVE which 
store the 
status 
word 
are executed 


exclusively 
by the BIU and do not set the busy bit 


themselves 
or require 
the 
Busy 
bit be cleared 
in 


order to be executed. 


The four 
numeric 
condition 
code 
bits (CO-C3) 
are 


similar to the flags in a CPU: instructions 
that perform 


arithmetic 
operations 
update these bits to reflect the 


outcome 
of NPX operations. 
The effect 
of these 


instructions 
on the condition 
code bits is summarized 


in Tables 5a and 5b. 


Bits 14-12 of the status word pointtothe 
80287 regis- 


ter that is the current top-of-stack 
(ST) as desc~ibed 


above. 
Figure 6 shows 
the six error flags in bits 5-0 


of the status 
word. 
Bits 5-0 are set to indicate 
that 


the NEU has detected 
an exception 
while executing 


an instruction. 
The section 
on exception 
handling 


explains 
how they are set and used. 


Bit 7 is the error summary 
status bit. This bit is set if 


any unmasked exception 
bit is set and cleared other- 


wise. If this bit is set, the ERROR signal is asserted. 


1 B 1<:01 
ST 
Ic.d c, 
ICoIEsl 
x 
IPEluEloElzEIDEllEI 
I 


EXCE 


- 


(RESE 


ERRO 


CON 


STAC 


U 


PTION 
FLAGS 
(1 ~ EXCEPTION 
HAS OCCURRED) 


INVALID 
OPERATION" 


DENORMALIZED 
OPERAND" 


ZERO 
DIVIDE" 


OVERFLOW" 


UNDERFLOW" 


PRECISION" 


RVED) 


R SUMMARY STATUS(') 


DITION CODE(2) 


K TOP POINTER(31 


NE 
BUSY 


(') ES IS SET IF ANY UNMASKED 
EXCEPTION 
BIT IS SET, CLEARED OTHERWISE. 
(2) 
SEE TABLE 
'-4 
FOR CONDITION 
CODE 
INTERPRETATION. 
(3) ST VALUES 
000 
- 
REGISTER 0 IS TOP OF STACK 
001 
- 
REGISTER liS 
TOP OF STACK 


111 - 
REGISTER 7 IS TOP OF STACK 


'FOR DEFINITIONS, 
SEE THE SECTION ON EXCEPTION 
HANDLING 


TAG WORD 


The tag word marks the content 
of each register as 
shown in Rgure 7. The principal 
function 
of the tag 
word is to optimize the NPX's performance. 
The eight 
two-bit tags in the tag word can be used, however, to 
interpret the contents of 80287 registers. 


INSTRUCTION 
AND DATA POINTERS 


The instruction 
and data pointers 
(See Figures 
8a 
and 8b) are provided 
for user-written 
error 
hand- 
lers. Whenever 
the 80287 executes 
a new instruc- 
tion, 
the 
BIU saves the 
instruction 
address, 
the 
operand 
address 
(if present) 
and the instruction 
opcode. 
80287 instructions 
can store this data into 
memory. 


The instruction 
and data pointers 
appear 
in one of 
two formats 
depending 
on the operating 
mode of 
the 80287. In real mode, these values are the 20-bit 
physical 
address 
and 11-bit opcode 
formatted 
like 
the 8087. In protected 
mode, these values 
are the 
32-bit 
virtual 
addresses 
used 
by the 
program 


which 
executed 
an 
ESG 
instructidn. 
The 
same 
FLDENV/FSTENV/FSAVE/FRSTOR 
instructions 
as 
those of the 8087 are used to transfer 
these values 
between 
the 80287 registers 
and memory. 


The saved 
instruction 
address 
in the 
80287 
will 
point 
at any prefixes 
which 
preceded 
the instruc- 
tion. This is different 
than 
in the 8087 which 
only 
pointed 
at the ESCAPE 
instruction 
opcode. 


CONTROL 
WORD 


The 
NPX 
provides 
several 
processing 
options 
which are selected 
by loading 
a word from memory 
into the control 
word. 
Figure 
9 shows 
the format 
and encoding 
of fields 
in the control 
word. 


The low order byte of this control 
word configures 
the 80287 error and exception 
masking. 
Bits 5-0 of 
the control 
word contai n individual 
masks for each 
of the six exceptions 
that 
the 80287 
recognizes. 


The high order byte of the control 
word configures 
the 
80287 
operating 
mode 
including 
precision, 


Instruction 
C:3 
C:! 
C1 
Co 
Interpretation 
Type 


Compare, Test 
0 
0 
X 
0 
ST > Source or 0 (FTST) 
0 
0 
X 
1 
ST < Source or 0 (FTST) 


1 
0 
X 
0 
ST = Source or 0 (FTST) 
1 
1 
X 
1 
ST is not comparable 


Remainder 
01 
0 
00 
02 
Complete 
reduction 
with 


three 
low 
bits 
of quotient 


(See Table 5b) 


U 
1 
U 
U 
Incomplete 
Reduction 


Examine 
0 
0 
0 
0 
Valid, positive 
unnormalized 


0 
0 
0 
1 
Invalid, positive, exponent 
=0 


0 
0 
1 
0 
Valid, negative, unnormalized 


0 
0 
1 
1 
Invalid, negative, exponent 
=0 


0 
1 
0 
0 
Valid, positive, normalized 
0 
1 
0 
1 
Infinity, positive 
0 
1 
1 
0 
Valid, negative, normalized 
0 
1 
1 
1 
Infinity, negative 


1 
0 
0 
0 
Zero, positive 
1 
0 
0 
1 
Empty 


1 
0 
1 
0 
Zero, negative 
1 
0 
1 
1 
Empty 


1 
1 
0 
0 
Invalid, positive, exponent 
= 0 


1 
1 
0 
1 
Empty 
1 
1 
1 
0 
Invalid, negative, exponent 
= 0 


1 
1 
1 
1 
Empty 


NOTES: 
1. ST = Top of stack 
2. X = value is not affected 
by instruction 


3. U = value is undefined 
following 
instruction 


4. Qn = Quotient 
bit n 


Table 5b. Condition 
Code Interpretation 
after 


FPREM Instruction 
As a Function 
of 


Dividend 
Value 


Dividend 
Range 
02 
01 
00 


Dividend < 2 • Modulus 
~ 
C1 
00 


Dividend < 4 • Modulus 
~ 
01 
00 


Dividend;;;. 
4 • Modulus 
02 
01 
00 


NOTE: 
1. 
Previous value of indicated 
bit, not affected 
by FPREM 


instruction 
execution. 


rounding, 
and infinity 
control. 
The precision 
con- 


trol bits (bits 9-8) can be used to set the 80287 
internal 
operating 
precision 
at less 
than 
the 


default 
of temporary 
real (80-bit) precision. 
This 


can be useful in prOViding compatibility 
with the 


early generation 
arithmetic 
processors 
of smaller 


precision 
than the 80287. The rounding 
control 


bits (bits 11-10) provide for directed 
rounding 
and 


true chop as well as the unbiased round to nearest 
even mode specified 
in the IEEE standard. Control 


over closure of the number space at infinity 
is also 


provided 
(either affine closure: ± 00, or projective 


closure: 
00, is treated 
as unsigned, 
may 
be 


specified). 


inter 


NOTE: The index i of tag(i) is Il2l top-relative. A program 
typically uses the "top" field of StatusWordto deter- 
mine which tag(i) field refersto logical top of stack. 


TAG VALUES: 
00 ~ VALID 
01 ~ ZERO 
10 ~ INVALID 
or INFINITY 
11 = EMPTY 


CONTROL 
WORD 


STATUS WORD 


TAG WORD 


IP OFFSET 


CS SELECTOR 


. 


DATA OPERAND 
OFFSET 


DATA OPERAND 
SELECTOR 


EXCEPTION 
HANDLING 


The 80287 detects six different exception 
conditions 
that can occur 
during 
instruction 
execution. 
Any or 
all exceptions 
will cause 
the assertion 
of external 
~ 
signal and ES bit of the Status Word if the 
appropriate 
exception 
masks are not set. 


The exceptions that the 80287 detects and the 'default' 
procedures 
that will be carried out if the exception 
is 
masked, are as follows: 


Invalid 
Operation: 
Stack overflow, stack 
underflow, 
indeterminate 
form (0/0, 00, - 00, etc) or the. use of a 
Non-Number 
(NAN) as an operand. An exponent value 
of all ones and non-zero 
significand 
is reserved to 
identify NANs. If this exception 
is masked, the 80287 
default response is to generate a specific 
NAN called 


INDEFINITE, or to propogate 
already 
existing 
NANs 
as the calculation 
result. 


Overflow: 
The result 
is too large in magnitude 
to 
fit the specified 
format. 
The 80287 will generate 
an 
encoding 
for infinity 
if this exception 
is masked. 


Zero 
Divisor: 
The divisor 
is zero while 
the 
divi- 
dend is a non-infinite, 
non-zero 
number. 
Again, the 
80287 will generate 
an encoding 
for infinity 
if this 
exception 
is masked. 


Underflow: 
The result is non-zero 
but too small in 
magnitude 
to fit 
in the 
specified 
format. 
If this 
exception 
is masked 
the 82087 
will 
denormalize 
(shift 
right) 
the fraction 
until 
the 
exponent 
is in 
range. The process 
is called 
gradual 
underflow. 


inter 


MEMORY 
OFFSET 


15 
0 


CONTROL 
WORD 
+0 


STATUS 
WORD 
+2 


TAG WORD 
+4 


INSTRUCTION 
POINTER 
(15-0) 
+6 


INSTRUCTION 
INSTRUCTION 
+8 
POINTER 
(19-16) 
0 
OPCODE 
(10-0) 


DATA POINTER 
(15-0) 
+10 


DATA POINTER 
+12 
(19-16) 


15 
12 11 
0 


EXCEPTION 
MASKS 
(1 = EXCEPTION 
IS MASKED) 


INVALID 
OPERATION 


DENORMALIZED 
OPERAND 


ZERO DIVIDE 


OVERFLOW 


UNDERFLOW 


PRECISION 


(RESERVED) 


(RESERVED) 


PRECISION 
CONTROL 
'" 


ROUNDING 
CONTROL'2' 


INFINITY 
CONTROL 
(0 ~ PROJECTIVE, 
1 = AFFINE) 


(RESERVED) 


"'PRECISION CONTROL 


00 = 24 BITS (SHORT REAL) 
01 = RESERVED 
10 = 53 BITS (LONG REAL) 
11 = 64 BITS (TEMP REAL) 


"'ROUNDING CONTROL 


00 = ROUND 
TO NEAREST 
OR EVEN 


01 ~ ROUND 
DOWN 
(TOWARD 
-x) 
10 = ROUND 
UP (TOWARD 
+x) 
11 ~ CHOP (TRUNCATE 
TOWARD 
ZERO) 


Denormallzed 
Operand: 
At 
least 
one 
of 
the 


operands 
is denormalized; 
it has the smallest ex- 


ponent 
but a non-zero 
significand. 
Normal 
pro- 


cessing continues 
if this exception 
is masked off. 


Inexact Result: The true result is not exactly repre- 
sentable in the specified format, the result is rounded 
according to the rounding mode, and this flag is set. 
If this exception 
is masked, processing 
will simply 


continue. 


If the error is not masked, the corresponding 
error 


bit and the error status bit (ES) in the control 
word 


will be set, and the ERROR output 
signal will be 


asserted. 
If the CPU attempts 
to execute another 


ESC or WAIT instruction, 
exception 
7 will occur. 


The error condition 
must be resolved via an inter- 


rupt service routine. The 80287 saves the address 
of the floating 
point instruction 
causing 
the error 


as well as the address of the lowest memory loca- 
tion 
of any memory 
operand 
required 
by that 


instruction. 


IAPX 86/20 COMPATIBILITY: 


iAPX 286/20 supports 
portability 
of iAPX 86/20 


programs 
when 
it is in the 
real address 
mode. 
However, because 
of differences 
in the numeric 


error handing techniques, 
error handling 
routines 


may need to be changed. The differences 
between 


an iAPX 286/20 and iAPX 86/20 are: 


1. The NPX error signal does not pass through 
an 


interrupt 
controller 
(8087 
INT signal 
does). 


Therefore, 
any Interrupt 
contrOller 
onemeu 
111- 


structions 
for the iAPX 86/20 may have to be 


deleted. 


2. Interrupt 
vector 
16 must point 
at the numeric 


error handler 
routine. 


3. The saved floating 
point instruction 
address in 


the 80287 includes 
any leading 
prefixes 
before 
the ESCAPE opcode. The corresponding 
saved 
address 
of the 8087 does not include 
leading 
prefixes. 


4. In protected 
mode, the format 
of the saved in- 


struction 
and operand pointers 
is different 
than 
for 
the 8087. The 
instruction 
opcode 
is not 


saved-it 
must be read from memory if needed. 


5. Interrupt 
7 will occur 
when executing 
ESC in- 


structions 
with either TS or EM of MSW = 1. If TS 
of MSW=1 
then WAIT will also cause interrupt 
7. An interrupt 
handler should be added to han- 


dle this situation. 


6. Interrupt 
9 will occur 
if the second 
or subse- 


quent 
words 
of a floating 
point 
operand 
fall 
outside a segment's size. Interrupt 
13 will occur 
if the starting 
address 
of a numeric 
operand 
falls 
outside 
a segment's 
size. 
An 
interrupt 


handler 
should 
be added to report 
these pro- 


gramming 
errors. 


In the 
protected 
mode, 
iAPX 
86/20 
application 
code can be directly 
ported via recompilation 
if the 
286 memory 
protection 
rules are not violated. 


inter 


"NOTICE: 
Stresses 
above 
those 
listed 
under 
Ab- 


solute 
Maximum 
Ratings 
may 
cause 
permanent 


damage to the device. 
This is a stress 
rating 
only 


and functional 
operation 
of the device at these or 
any other 
conditions 
above 
those indicated 
in the 


operational 
sections 
of 
this 
specification 
is not 
implied. 
Exposure 
to absolute 
maximum 
rating 


conditions 
for extended 
periods 
may affect 
device 
reliability. 


Ambient 
Temperature 
Under 
Bias 
.. O°C to 70°C 


Storage 
Temperature 
-65°C 
to +150°C 


Voltage 
on Any Pin with 


Respect 
to Ground 
_ 
-1.0 
to +7V 


Power 
Dissipation 
3.0 Watt 


Symbol 
Para.meter 
-3 Min 
-3 max 
Unit 
Test Conditions 


V1L 
Input lOW Voltage 
-.5 
.8 
V 


V1H 
Input HIGH Voltage 
2.0 
Vcc +.5 
V 
• 


VILC 
Clock Input lOW Voltage 
.'- 


CKM = 1: 
-.5 
.8 
V 
CKM=O: 
-.5 
.6 
V 


V1HC 
Clock Input HIGH Voltage 


; 
--;;- 


CKM = 1: 
2.0 
Vcc+ 
1 
V 
CKM=O: 
3.8 
Vcc+ 
1 
V 


VOL 
Output lOW Voltage 
I 
.45 
V 
IOL=3.0 
mA 


VOH 
Output HIGH Voltage 
. 
2.4 
V 
IOH= -400 IlA 


III 
Input leakage 
Current 
±10 
IlA 
OV ,.; V1N,.;Vcc 


ILO 
Output leakage 
Current 
±10 
IlA 
.45V ,.; VOUT,.; Vcc 


Icc 
Power Supply Current 
475 
mA 


C1N 
Input Capacitance 
10 
pF 
Fc = 1 MHz 


Co 
Input/Output 
Capacitance 
. 
20 
pF 
Fc = 1 MHz 
(00-015) 


CCLK 
ClK 
Capacitance 
12 
pF 
Fc = 1 MHz 


inter 


A.C. CHARACTERISTICS (TA= O°C to 70°C, Vcc + 5V.=/-5%) 
TIMING REQUIREMENTS 
A.C. timings are referenced to 0.8V and 2.0V points on signals unless otherwise noted. 


5 MHz 


Symbol 
Parameter 
-3 Min 
-3 max 
Unit 
Test Conditions 


TCLCL 
ClK Period 
CKM = 1: 
200 
500 
ns 
CKM=O: 
62.5 
250 
ns 


TCLCH 
ClKlOWTime 
CKM=1: 
118 
ns 
AtO.8V 
CKM=O: 
15 
230 
ns 
AtO.6V 


TCHCL 
ClK HIGH Time 
CKM = 1: 
69 
ns 
At 2.0V 
CKM=O: 
20 
235 
ns 
At 3.8V 


TCH1CH2 ClK Rise Time 
10 
ns 
1.0V t03.5V if CKM = 1. 


TCL2CL1 
ClK Fall Time 
10 
ns 
3.5V to 1.0V if CKM = 1. 


TOVWH 
Data Setup to Ni5WR Inactive 
75 
ns 


TWHOX 
Data Hold from fJl5WR Inactive 
30 
ns 


TWLWH• 
TRLRH 
mwR, 
NJ5lm 
Active Time 
95 
ns 
At 0.8V 


TAVRL' 
Command Valid to fJl5WR or 


TAVWL 
NJ5lm Active 
0 
ns 


TMHRL 
Minimum Delay from PEREO 
Active to NJ5lm Active 
130 
ns 


TKLKH 
PEACK Active Time 
85 
ns 
At 0.8V 


TKHKL 
PEACK Inactive Time 
250 
ns 
At 2.0V 


TKHCH 
J5EACK Inactive to fJl5WR, NJ5lm 
Inactive 
50 
ns 


TCHKL 
NJ5WR, NJ5R['j Inactive to J5EACK 
, 


Active 
-30 
ns 


TWHAX' 
Command Hold from ffi5WR. 
TRHAX 
FJI5RO Inactive 
30 
ns 


TKLCL 
J5EACK 
Active 
Setup 
to mwR, 
FJI5RO Active 
50 
ns 


T2CLCL 
ClK286 
Period 
62.5 
ns 


T2CLCH 
ClK286 
lOW Time 
15 
ns 
AtO.8V 


T2CHCL 
ClK286 
HIGH TIme 
20 
ns 
At 2.0V 


T2SVCL 
SO,m Setup Time to ClK286 
22.5 
ns 


T2CLSH 
SO, m Hold Time from ClK286 
0 
ns 


inter 


A.C. CHARACTERISTICS, continued 
TIMING REQUIREMENTS 


Symbol 
Parameter 
-3 Min 
-3 max 
Unit 
Test Conditions 


TCIVCL 
COD/lJ\JTA Setup Time to ClK286 
0 
ns 


TCLCIH 
COD/INTA Hold Time from ClK286 
0 
ns 


TRVCL 
READY Setup Time to ClK286 
38.5 
ns 


TCLRH 
READY Hold Time from ClK286 
25 
ns 


THvCL 
HlDA Setup Time to ClK286 
0 
ns 


.. 


TCLHH 
HlDA Hold Time from ClK286 
0 
ns 


T1VCL 
NPWR, NPRD to ClK Setup Time 
70 
ns 
NOTE 1 


NPWR, NPRD from ClK Hold TIme 
. 


TCLIH 
45 
ns 
NOTE 1 


TRSCL 
RESET to ClK Setup Time 
20 
ns 
NOTE 1 


TCLRS 
RESET from ClK Hold Time 
20 
ns 
NOTE 1 


A.C. CHARACTERISTICS, 
TIMING RESPONSES 


Symbol 
Parameter 
-3 Min 
-3 max 
Unit 
Test Conditions 


TRHQZ 
l\JPR[5 Inactive to Data Float 
37.5 
ns 
NOTE 2 


TRLQV 
l\JPR[5Active to Data Valid 
60 
ns 
NOTE 3 


T1LBH 
EmOO 
Active to BOS? Inactive 
100 
ns 
NOTE 4 
. 


TWLBV 
fJl5WRActive to BUS? Active 
100 
ns 
NOTE 5 


'~.' 


TKLML 
PEACK Active to PERro 
Inactive 
127 
ns 
NOTE 6 


TCMD1 
Command Inactive Time 
Write-to-Write 
95 
ns 
At 2.0V 
Read-to-Read 
250 
ns 
At 2.0V 
Write-to-Read 
105 
ns 
At2.0V 
Read-to-Write 
95 
ns 
At2.0V 


TRHQH 
Data Hold from l\JPR[5 Inactive 
5 
ns 
NOTE 7 


NOTES: 
1. This is an asynchronous 
input. This specification 
is given for testing purposes 
only. to assure recognition 
at a specific CLK edge. 


2. Float condition 
occurs 
when output current 
is less than 
ILO on 00-015. 
3. 00-015 
loading: 
CL= 
100pF. 
4. BUSY loading: 
CL = 100pF. 
5. BUSY loading: 
CL = 100pF. 
6. On'last 
data transfer 
of numeric 
instruction. 
7. 00-015 
loading: 
CL = 100pF. 


• 
I 


DATA 
TRANSFER 
FROM 
80287 


• 
I 


DATA 
TRANSFER 
TO 
80287 
DATA MAY CHANGE 
'·~f-------- 


'""..~-- 
TWHAX I~ 
'.00,'."---i~ 
Rl'!l,NPS2 
~ 
TAVWL 
TAVRL 


} 


TMHRL- 
__ 
TCLML 
__ 


PEREO 
TKLCL__ 
_ 


inter 


,:-------------c",..=f 


NOTES: 
1. This input transition 
occurs before Ts. 
2. This input transition 
occurs after TC. 


inter 


(Reset, NPWR, NPRD are inputs asynchronous 
to ClK. Timing requirements 
on this page 


are given fortesting 
purposes only, to assure recognition 
ata specific ClKedge.) 


ClK 
(IFCKM = 1) 


_k)_~T_IV_C_L 
_ 
\\\\\\\\\ 


CLK, RESET TIMING (CKM = 0) 


1/>2 


'- 
, -'°'"1 
~'~ 


RESET 
r 
~ 


NOTE: Reset 
must 
meet 
timing 
shown 
to 
guarantee 
known 
phase 
of 
internal 
-+- 3 
circuit. 


CLK, NPRD, NPWR TIMING (CKM = 0) 
I 
1/>2 
1/>, 


\\\\\\\\\\\ 
'~1J=_T_'IIC_l 
_ 


inter 


Temporary 
Real Memory to 
ST(OI 


BCD Memory 
to ST(O) 


FST ~ STORE 


ST(OI to Integer/Real 
Memory 


FSTP ~ STORE AND POP 


ST(O) to Integer/Real 
Memory 


ST(O} to Temporary 
Real 
Memory 


ST(O) to BCD Memory 


Comparison 


FCOM = Compare 


Integer/Real 
Memory 
to ST(OI 


Integer/Real 
Memory 
to ST(OI 


ST(II to ST(OI 


I ESCAPE 


I ESCAPE 


[ESCAPE 


I ESCAPE 


I ESCAPE 


I ESCAPE 


I ESCAPE 


I ESCAPE 
I ESCAPE 


I ESCAPE 


I ESCAPE 


I ESCAPE 


I 
MOD 
[1 


Optional 
8,16 Bit 
Displacement 


[~ - 


1- ~ _. _DI~P_ 
-: 


[ 
- 
- 
DISP 


I~ 


o 
R/M 
[ 
- 


o 
ST(I) I 


R/M 
[ 
~ 
_ 
~I~P _ J 


RIMI - 


1 
1 
R/M [ 
~ _ :>I~P_ _ 


R/M 
[ 
~ 
~ 
~I~_ 


@CAPE 
0 
0 
1 I 
1 
1 
0 
0 
1 
ST(I) I 


I ESCAPE 
MF 


I ESCAPE 
0 
0 
0 


I ESCAPE 
MF 


I ESCAPE 
0 


FCOMPP 
~ Compare 
ST(1) to 
[ ESCAPE 


ST(O) and Pop Twice 
I ESCAPE 
0 
0 


I ESCAPE 
0 
0 


MOD 
0 


o 


o 
RIM 
[ 
~ 


ST(II I 


Clock Count Range 
32 Bit 
32 Bit 
64 BII 
Real 
Integer 
Real 


63-73 
80-93 


45-52 


~ 
I 
Option II 
Clock Count Rlngl 


8,16 Bit 
32 Bit 
32 Bit 
64 Bit 
16 Bit 
Constants 
Displacement 
Rill 
Integer 
Rill 
Integer 


I MF 
~ 
00 
01 
10 
11 


FLDZ ~ LOAD + 0.0 into ST(O) I ESCAPE 
0 
0 
1 I 1 
1 
1 
0 
1 
1 
1 
0 
I 
11-17 


FLD1 ~ LOAD + 1.0 into ST(O) 
I ESCAPE 
0 
0 
1 
I 
1 
1 
1 
0 
1 
0 
0 
0 
I 
15-21 


FLDPI 
= LOAD 
1T into ST(O) 
I ESCAPE 
0 
0 
1 I 1 
1 
1 
0 
1 
0 
1 
1 I 
16-22 


FLDL2T 
~ LOAD IOg2 10 into 
I ESCAPE 
0 
0 
1 
[ 
1 
1 
1 
0 
1 
0 
0 
1 I 
16-22 
ST(O) 


FLDL2E 
= LOAD log2 e into 
[ESCAPE 
0 
0 
1 I 
1 
1 
1 
0 
1 
0 
1 
0 I 
15-21 
ST(O) 


FLDLG2 
~ LOAD log,o 
2 into 
I ESCAPE 
I 
I 
ST{O) 
0 
0 
1 
1 
1 
1 
0 
1 
1 
0 
0 
18-24 


FLDLN2 
~ LOAD loge2 into 
EPE 
0 
0 
1 I 1 
1 
1 
0 
1 
1 
0 
1 I 
17-23 
ST(O) 


Arithmetic 


FADD ~ Addition 
I 
I 
R/M~~ 
- - - -, 
Integer/Real 
Memory with ST(O) 
ESCAPE 
MF 
0 
MOD 
0 
0 
0 
DISP 
i 
90-120 
108-143 
95-125 
102-137 
- - - 


ST(i) and ST(O) 
I ESCAPE 
d 
P 
0 I 
1 
1 
0 
0 
0 
ST(i) 
I 
70-100 
(Note 1) 


FSUB "'"Subtraction 


[ 
I 
[ 


.- - _. -, 
102-137 
IntegerlReal 
Memory with ST(O) 
ESCAPE 
MF 
0 
MOD 
1 
0 
R 
RIM 
DISP 
90-120 
108-143 
95-125 
- - - -' 


ST(i) and ST(O) 
I 


ESCAPE 
d 
P 
0 I 1 
1 
1 
0 
R 
RIM 
l 
70-100 (Note 1) 


FMUL 
= Multiplication 
I 
[ 
[ - - - -, 
IntegerlReal 
Memory with ST(O) 
ESCAPE 
MF 
0 
MOD 
0 
0 
1 
RIM 
DISP 
110-125 
130-144 
112-168 
124-138 
- - - .: 


ST(i) and ST(O) 
[ 
ESCAPE 
d 
P 
0 I 
1 
1 
0 
0 
1 
RIM 
I 
90-145 (Note 1) 


FDIV = Division 


I 
I 
[ 


_. - - 
Integer/Real 
Memory with ST(O) 
ESCAPE 
MF 
0 
MOD 
1 
1 
R 
RIM 
DISP 
, 
215-225 
230-243 
220-230 
224-238 
- - - 
i 


ST(i) and ST(O) 
I ESCAPE 
d 
P 
0 I 
1 
1 
1 
1 
R 
RIM 
I 
193-203 (Note 1) 


FSQRT = Square Root of ST(O) I 


ESCAPE 
0 
0 
1 I 
1 
1 
1 
1 
1 
0 
1 
0 I 
180-186 


FSCALE 
~ Scale ST(O) by ST(l) I ESCAPE 
0 
0 
1 I 
1 
1 
1 
1 
1 
1 
0 
1 I 
32-38 


FPAEM = Partial Remainder 
of I ESCAPE 
0 
0 
1 I 1 
1 
1 
1 
1 
0 
0 
0 I 
15-190 
ST{O) -;-ST(l) 


FRNDINT 
= Round ST{O) to 
I ESCAPE 
0 
0 
1 I 
1 
1 
1 
1 
1 
1 
0 
0 I 
16-50 


Integer 


inter 


FABS = Absolute 
Value of 


ST(O) 


FCHS 
= Change 
Sign of ST(O) 


FPATAN = Partial 
Arctangent 


of ST(O) -;-ST(I) 


F2XMl 
= 25TIOI_1 


FYL2X = ST(1 I' 
Log2 


IST(O)l 


FYL2XPl 
= STili' 
Log2 


IST(O) +11 


Processor 
Control 


ESCAPE 
0 
0 
1 
MOD 
1 
RIM 
I ~ ~ ?I~~~ 
J 


ESCAPE 
0 
MOD 
R/M~ 
~ ~~I~~~~: 


ESCAPE 
0 
1 
MOD 
1 
1 
1 
RIM 
I~~·~l~~'~.J 


~~~ 
1 
1 
1 
1 
o 
0 
1 
0 


jEseAPE 
0 
1 I 
0 


ESCAPE 
0 ~ 
0 
0 


ESCAPE 
1 I 
1 
1 
1 
0 ~ 


[ESCAPE 
0 
I 
o 
0 
1 


jESCAPE 
0 
1 
1 
I 
1 
1 
1 
0 
0 


ESCAPE 
0 
1 I 
0 
0 


ESCAPE 
1 
1 
1 [Yl 
1 
0 
0 
0 


Optional 
8,16 Bit 
Displacement 


ESCAPE 
0 
0 
[MOD 


I MOD 
1 
0 
RIM 


o 
1 I 
MOD 
0 
RIM 


o 
1 I 
MOD 
RIM 


~E_S_C_A_P_E_O 
__ ' _'~_'_' 
O_O_O __ '_~I 
I~~?~~~-~: 
[ ~'~~~~.J 
[ ~:~~~'~J 


I~-~:~~~.~'J 


inter 


ESCAPE 
1 
0 
1 I 
1 
1 
0 
0 
0 
ST(i) 


ESCAPE 
0 
0 
1 I 
1 
1 
0 
1 
0 
0 
0 
0 


NOTES: 
1. if mod=OO then DISP=O·, disp-Iow and disp-high 
are absent 


if mod=01 then DISP=disp-low 
sign-extended 
to 16-bits, disp-high 
is absent 


if mod=10 then DISP=disp-high; 
disp-Iow 


if mod = 11 then rim is treated as an ST(i) field 


2. if r/m=OOO then EA=(BX) 
+ (SI) +DISP 


if r/m=001 
then EA=(BX) 
+ (01) +DISP 


if r/m=010 
then EA=(BP) 
+ (SI) +DISP 


if r/m=011 
then EA=(BP) 
+ (01) +DISP 


if r/m=100 
then EA=(SI) + DISP 


if r/m=101 
then EA=(DI) 
+ DISP 


if r/m=110 
then EA=(BP) 
+ DISP 


if r/m=111 
then EA=(BX) 
+ DISP 


·except if mod=OOOand r/m=110 
then EA =disp-high; 
disp-Iow. 
3. MF= 
Memory Format 
00-32-bit 
Real 
01-32-bit 
Integer 
10-54-bit 
Real 
11-16-bit 
Integer 


4. ST(O)= 
Current stack top 


ST(i) 
ith register below stack top 


5. d= 
Destination 
O-Destination 
is ST(O) 
1-Destination 
is ST(i) 


6. P= 
Pop 
O-No 
pop 


1-Pop 
ST(O) 
7. R= 
Reverse: When d=1 reverse the sense of R 
O-Destination 
(op) Source 


1-Source 
(op) Destination 


8. 
For FSQRT: 
-0 
'" ST(O) '" +00 
For FSCALE: 
_215", 
ST(1) < +215 and ST(1) integer 


For F2XM1: 
0'" 
ST(O) '" 2-1 


For FYL2X: 
0 < ST(O) <00 
-00 < ST(1) < + 00 


For FYL2XP1: 
0'" 
IST(O)I < (2 -V2)/2 


-00 < ST(1) < 00 
For FPTAN: 
0", 
ST(O) "'1r/4 


For FPATAN: 
0", 
ST(O) < ST(1) < +00 


9. ESCAPEbit pattern is 11011. 


Glossary Of 80287 And 
Floating-Point 
Terminology 


GLOSSARY 
OF 80287 
AND FLOATING-POINT 
TERMINOLOGY 


This glossary 
defines 
many terms 
that 
have precise 
technical 
meanings 
as specified 
in the IEEE 
754 
Standard. 
Where 
these terms are used, they have been capitalized 
to emphasize 
the precision 
of their 
meanings. 
In reading 
these definitions, 
you may therefore 
interpret 
any capitalized 
terms or phrases 
as 


cross-references. 


Affine Mode: 
a state of the 80287, selected 
in the 80287 Control 
Word, in which infinities 
are treated 


as having a sign. Thus, 
the values 
+ INFINITY 
and - INFINITY 
are considered 
different; 
they can 
be compared 
with finite numbers 
and with each other. 


Base: 
(1) a term 
used in logarithms 
and exponentials. 
In both contexts, 
it is a number 
that 
is being 
raised to a power. The two equations 
(y = log base b of x) and (bY = x) are the same. 


Base: 
(2) a number 
that defines the representation 
being used for a string of digits. Base 2 is the binary 


representation; 
Base 10 is the decimal 
representation; 
Base 16 is the hexadecimal 
representation. 
In 
each case, the Base is the factor 
of increased 
significance 
for each succeeding 
digit (working 
up from 
the bottom). 


Bias: 
the difference 
between 
the unsigned 
Integer 
that 
appears 
in the Exponent 
field of a Floating- 


Point Number 
and the true Exponent 
that it represents. 
To obtain the true Exponent, 
you must subtract 
the Bias from the given Exponent. 
For example, 
the Short Real format 
has a Bias of 127 whenever 
the 
given 
Exponent 
is nonzero. 
If the 
8-bit 
Exponent 
field 
contains 
100000 II, 
which 
is 131, the true 
Exponent 
is 131-127, 
or +4. 


Biased Exponent: 
the Exponent 
as it appears 
in a Floating-Point 
Number, 
interpreted 
as an unsigned, 
positive number. 
In the above example, 
131 is the Biased Exponent. 


Binary Coded Decimal: 
a method of storing numbers that retains a base 10 representation. 
Each decimal 


digit occupies 
4 full bits (one hexadecimal 
digit). 
The hex values 
A through 
F (1010 through 
1111) 
are not used. The 80287 supports 
a Packed 
Decimal 
format 
that consists of 9 bytes of Binary 
Coded 
Decimal 
(18 decimal 
digits) and one sign byte. 


Binary Point: 
an entity just like a decimal 
point, except 
that it exists in binary 
numbers. 
Each binary 
digit to the right of the Binary Point is multiplied 
by an increasing 
negative 
power of two. 


C3-CO: 
the four "condition 
code" bits of the 80287 Status 
Word. These bits are set to certain 
values 
by the compare, 
test, examine, 
and remainder 
functions 
of the 80287. 


Characteristic: 
a term used for some non-Intel 
computers, 
meaning 
the Exponent 
field of a Floating- 
Point Number. 


Chop: 
to set the fractional 
part of a real number 
to zero, yielding 
the nearest 
integer 
in the direction 
of zero. 


Control 
Word: 
a 16-bit 80287 register 
that 
the user can set, to determine 
the modes of computation 
the 80287 will use, and the error interrupts 
that will be enabled. 


Denormal: 
a special 
form of Floating-Point 
Number, 
produced 
when an Underflow 
occurs. 
On the 
80287, a Denormal 
is defined 
as a number 
with a Biased Exponent 
that is zero. By providing 
a Sign i- 
ficand with leading 
zeros, the range of possible negative 
Exponents 
can be extended 
by the number 
of 


bits in the Significand. Each leading zero is a bit of lost accuracy, so the extended Exponent range is 
obtained by reducing significance. 


Double Extended: the Standard's term for the 80287 Temporary Real format, with more Exponent 
and Significand bits than the Double (Long Real) format, and an explicit Integer bit in the Significand. 


Environment: the 14 bytes of 80287 registers affected by the FSTENV and FLDENV instructions. It 
encompasses the entire state of the 80287, except for the 8 Temporary Real numbers of the 80287 
stack. Included are the Control Word, Status Word, Tag Word, and the instruction, opcode, and operand 
information provided by interrupts. 


Exponent: (1) any power that is raised by an exponential function. For example, the operand to the 
function mqerEXP is an Exponent. The Integer operand to mqerYI2 is an Exponent. 


Exponent: (2) the field of a Floating-Point Number that indicates the magnitude of the number. This 
would fall under the above more general definition (1), except that a Bias sometimes needs to be 
subtracted to obtain the correct power. 


Floating-Point Number: a sequence of data bytes that, when interpreted in a standardized way, repre- 
sents a Real number. Floating-Point Numbers are more versatile than Integer representations in two 
ways. First, they include fractions. Second, their Exponent parts allow a much wider range of magni- 
tude than possible with fixed-length Integer representations. 


Gradual Underflow: a method of handling the Underflow error condition that minimizes the loss of 
accuracy in the result. If there is a Denormal number that represents the correct result, that Denormal 
is returned. Thus, digits are lost only to the extent of denormalization. Most computers return zero 
when Underflow occurs, losing all significant digits. 


Implicit Integer Bit: a part of the Significand in the Short Real and Long Real formats that is not 
explicitly given. In these formats, the entire given Significand is considered to be to the right of the 
Binary Point. A single Implicit Integer Bit to the left of the Binary Point is always 1, except in one 
case. When the Exponent is the minimum (Biased Exponent is 0), the Implicit Integer Bit is O. 


Indefinite: a special value that is returned by functions when the inputs are such that no other sensible 
answer is possible. For each Floating-Point format there exists one Nontrapping NaN that is designated 
as the Indefinite value. For binary Integer formats, the negative number furthest from zero is often 
considered the Indefinite value. For the 80287 Packed Decimal format, the Indefinite value contains 
all I's in the sign byte and the uppermost digits byte. 


Infinity: a value that has greater magnitude than any Integer or any Real number. The existence of 
Infinity is subject to heated philosophical debate. However, it is often useful to consider Infinity as 
another number, subject to special rules of arithmetic. All three Intel Floating-Point formats provide 
representations for +INFINITY 
and - INFINITY. 
They support two ways of dealing with Infinity: 
Projective (unsigned) and Affine (signed). 


Integer: a number (positive, negative, or zero) that is finite and has no fractional part. Integer can also 
mean the computer representation for such a number: a sequence of data bytes, interpreted in a stand- 
ard way. It is perfectly reasonable for Integers to be represented in a Floating-Point format; this is 
what the 80287 does whenever an Integer is pushed onto the 80287 stack. 


infel 


Invalid Operation: the error condition for the 80287 that covers all cases not covered by other errors. 
Included are 80287 stack overflow and underflow, NaN inputs, illegal infinite inputs, out-of-range 
inputs, and illegal unnormal inputs. 


Long Integer: an Integer format supported by the 80287 that consists of a 64-bit Two's Complement 
quantity. 


Long Real: a Floating-Point Format supported by the 80287 that consists of a sign, an II-bit Biased 
Exponent, an Implicit Integer Bit, and a 52-bit Significand-a 
total of 64 explicit bits. 


Mantissa: a term used for some non-Intel computers, meaning the Significand of a Floating-Point 
Number. 


Masked: a term that applies to each of the six 80287 Exceptions I,D,Z,O,U,P. An exception is Masked 
if a corresponding bit in the 80287 Control Word is set to I. If an exception is Masked, the 80287 will 
not generate an interrupt when the error condition occurs; it will instead provide its own error recovery. 


NaN: an abbreviation for Not a Number; a Floating-Point quantity that does not represent any numeric 
or infinite quantity. NaNs should be returned by functions that encounter serious errors. If created 
during a sequence of calculations, they are transmitted to the final answer and can contain information 
about where the error occurred. 


Nontrapping NaN: a NaN in which the most significant bit of the fractional part of the Significand is 
I. By convention, these NaNs can undergo certain operations without visible error. Nontrapping NaNs 
are implemented for the 80287 via the software in EH87.LIB. 


Normal: the representation of a number in a Floating-Point format in which the Significand has an 
Integer bit I (either explicit or Implicit). 


Normalizing Mode: a state in which nonnormal inputs are automatically converted to normal inputs 
whenever they are used in arithmetic. Normalizing Mode is implemented for the 80287 via the software 
in EH87.LIB. 


Overflow: an error condition in which the correct answer is finite, but has magnitude too great to be 
represented in the destination format. 


Packed Decimal: an Integer format supported by the 80287. A Packed Decimal number is a lO-byte 
quantity, with nine bytes of 18 Binary Coded Decimal digits, and one byte for the sign. 


Precision Control: an option, programmed through the 80287 Control Word, that allows all 80287 
arithmetic to be performed with reduced precision. Because no speed advantage results from this option, 
its only use is for strict compatibility with the IEEE Standard, and with other computer systems. 


Precision Exception: an 80287 error condition that results when a calculation does not return an exact 
answer. This exception is usually Masked and ignored; it is used only in extremely critical applications, 
when the user must know if the results are exact. 


Projective Mode: 
a state of the 80287, selected in the 80287 Control Word, in which infinities are 
treated as not having a sign. Thus the values +INFINITY and - INFINITY are considered the same. 


~_ •• ~ ••• VI'_' u ••vu~, 
~U,",il a~ ,",VUI}Jdll>Vl1 LU IlIllll: 
numoers, 
are Illegal 
III YroJective 
Mode but legal in 
Affine Mode. Thus Projective 
Mode gives you a greater 
degree of error control over infinite 
inputs. 


Pseudo 
Zero: 
a special 
value of the Temporary 
Real format. 
It is a number 
with a zero significand 
and an Exponent 
that 
is neither 
all zeros or all ones. Pseudo 
zeros can come about 
as the result 
of 
multiplication 
of two Unnormal 
numbers; 
but they are very rare. 


Real: 
any finite value (negative, 
positive, or zero) that can be represented 
by a decimal 
expansion. 
The 
fractional 
part of the decimal 
expansion 
can contain 
an infinite 
number 
of digits. Reals can be repre- 
sented as the points of a line marked 
off like a ruler. The term Real can also refer to a Floating-Point 
Number 
that represents 
a Real value. 


Short 
Integer: 
an Integer 
format 
supported 
by the 80287 that consists of a 32-bit Two's Complement 
quantity. 
Short Integer 
is not the shortest 
80287 Integer 
format-the 
16-bit Word Integer 
is. 


Short 
Real: 
a Floating-Point 
Format 
supported 
by the 80287, which consists of a sign, an 8-bit Biased 
Exponent, 
an Implicit 
Integer 
Bit, and a 23-bit Significand-a 
total of 32 explicit 
bits. 


Significand: 
the part of a Floating-Point 
Number 
that consists of the most significant 
nonzero 
bits of 
the number, 
if the number 
were written 
out in an unlimited 
binary 
format. 
The Significand 
alone is 
considered 
to have a Binary Point after the first (possibly 
Implicit) 
bit; the Binary Point is then moved 
according 
to the value of the Exponent. 


Single Extended: 
a Floating-Point 
format, 
required 
by the Standard, 
that 
provides 
greater 
precision 
than Single; it also provides 
an explicit 
Integer 
Significand 
bit. The 80287's 
Temporary 
Real format 
meets the Single Extended 
requirement 
as well as the Double 
Extended 
requirement. 


Standard: 
"a Proposed 
Standard 
for Binary Floating-Point 
Arithmetic," 
Draft 
10.0 of IEEE Task P754, 
December 
2, 1982. 


Status 
Word: 
A 16-bit 80287 register 
that can be manually 
set, but which is usually controlled 
by side 
effects 
to 80287 instructions. 
It contains 
condition 
codes, the 80287 stack pointer, 
busy and interrupt 
bits, and error flags. 


Tag Word: 
a 16-bit 80287 register 
that is automatically 
maintained 
by the 80287. For each space in 
the 80287 stack, 
it tells if the space is occupied 
by a number; 
if so, it gives information 
about 
what 
kind of number. 


Temporary 
Real: 
the main Floating-Point 
Format 
used by the 80287. 
It consists 
of a sign, a IS-bit 
Biased Exponent, 
and a Significand 
with an explicit 
Integer 
bit and 63 fractional-part 
bits. 


Transcendental: 
one of a class of functions 
for which 
polynomial 
formulas 
are always 
approximate, 
never exact for more than isolated values. The 80287 supports 
trigonometric, 
exponential, 
and logarith- 
mic functions; 
all are Transcendental. 


Trapping 
NaN: 
a NaN 
that causes an I error whenever 
it enters into a calculation 
or comparison, 
even 
a nonordered 
comparison. 


Two's Complement: 
a method 
of representing 
Integers. 
If the uppermost 
bit is 0, the number 
is consid- 
ered positive, 
with the value given by the rest of the bits. If the uppermost 
bit is I, the number 
is 
negative, 
with the value 
obtained 
by subtracting 
(2b;' cou",) from all the given bits. For example, 
the 
8-bit number 
11111100 
is -4, 
obtained 
by subtracting 
28 from 252. 


Unbiased Exponent: the true value that tells how far and in which direction to move the Binary Point 
of the Significand of a Floating-Point Number. For example, if a Short Real Exponent is 131, we 
subtract the Bias 127 to obtain the Unbiased Exponent +4. Thus, the Real number being represented 
is the Significand with the Binary Point shifted 4 bits to the right. 


Underflow: an error condition in which the correct answer is nonzero, but has a magnitude too small 
to be represented as a Normal number in the destination Floating-Point format. The Standard specifies 
that an attempt be made to represent the number as a Denormal. 


Unmasked: a term that applies to each of the six 80287 Exceptions: I,D,Z,O,U,P. An exception is 
Unmasked if a corresponding bit in the 80287 Control Word is set to O. If an exception is Unmasked, 
the 80287 will generate an interrupt when the error condition occurs. You can provide an interrupt 
routine that customizes your error recovery. 


Unnormal: a Temporary Real representation in which the explicit Integer bit of the Significand is 
zero, and the exponent is nonzero. We consider Unnormal numbers distinct from Denormal numbers. 


Word Integer: an Integer format supported by both the 80286 and the 80287 that consists of a 16-bit 
Two's Complement quantity. 


Zero divide: an error condition in which the inputs are finite, but the correct answer, even with an 
unlimited exponent, has infinite magnitude. 


